{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC017", "name": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.", "shortDescription": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely"}, "fullDescription": {"text": "1) Enforce a maximum input length BEFORE sending to the API: e.g. `if len(text) > 4000: return error`. 2) Use token counting (tiktoken for OpenAI, anthropic's token counter) to enforce token-level limits. 3) Set max_tokens on the API call to cap response cost. 4) Add rate limiting per user/IP to prevent automated abuse. 5) Monitor API spend with alerts for unusual usage patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC139", "name": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payme", "shortDescription": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluent"}, "fullDescription": {"text": "Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both directions."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `express` is 1 major version(s) behind (^4.19.0 -> 5.2.1)", "shortDescription": {"text": "npm package `express` is 1 major version(s) behind (^4.19.0 -> 5.2.1)"}, "fullDescription": {"text": "`express` is pinned/resolved at ^4.19.0 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `numpy` has no version pin", "shortDescription": {"text": "requirements.txt: `numpy` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `check_install_hints` has cognitive complexity 10 (SonarSource scale). Cog", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `check_install_hints` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and rec"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `uvicorn` is minor version(s) behind (0.30.0 -> 0.49.0)", "shortDescription": {"text": "Python package `uvicorn` is minor version(s) behind (0.30.0 -> 0.49.0)"}, "fullDescription": {"text": "`uvicorn==0.30.0` is minor version(s) behind the latest stable release on PyPI (0.49.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED084", "name": "[MINED084] Cbc No Mac: AES.new(..., MODE_CBC) without authenticated encryption \u2014 vulnerable to padding-oracle attacks.", "shortDescription": {"text": "[MINED084] Cbc No Mac: AES.new(..., MODE_CBC) without authenticated encryption \u2014 vulnerable to padding-oracle attacks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-310,CWE-326 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-110", "name": "scikit-learn: PYSEC-2024-110", "shortDescription": {"text": "scikit-learn: PYSEC-2024-110"}, "fullDescription": {"text": "A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC016", "name": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prom", "shortDescription": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input tha"}, "fullDescription": {"text": "1) Separate user content from instructions: use the 'user' role for user text and 'system' role for your instructions \u2014 never concatenate them into one string. 2) Validate and constrain: limit input length, strip control characters, and reject known injection patterns. 3) Use structured output (JSON mode / function calling) so the model returns data, not freeform actions. 4) Apply output validation: check the AI's response before acting on it. 5) Consider a prompt injection detection layer (e.g. Anthropic's constitutional AI, prompt-guard models)."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.10-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.10-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /events has no auth", "shortDescription": {"text": "Express POST /events has no auth"}, "fullDescription": {"text": "Express route POST /events declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /ingest has no auth", "shortDescription": {"text": "FastAPI POST /ingest has no auth"}, "fullDescription": {"text": "Handler `ingest` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._request` used but never assigned in __init__", "shortDescription": {"text": "`self._request` used but never assigned in __init__"}, "fullDescription": {"text": "Method `post_predict` of class `HTTPClient` reads `self._request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "stripe-access-token", "name": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.", "shortDescription": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: POST /admin/reload-model", "shortDescription": {"text": "Admin endpoint without auth: POST /admin/reload-model"}, "fullDescription": {"text": "Handler `admin_reload_model` serves an /admin path (/admin/reload-model) and the function has no Depends/Security parameter and no auth marker in its body. Admin without auth = full takeover."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `warnings` used but not imported", "shortDescription": {"text": "Missing import: `warnings` used but not imported"}, "fullDescription": {"text": "The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/981"}, "properties": {"repository": "bdfinst/agentic-dev-team", "repoUrl": "https://github.com/bdfinst/agentic-dev-team", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 92369, "scanner": "repobility-docker", "fingerprint": "e1d245424c31c72e58578191477515df79b503a6e97063986b7994dff9712554", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e1d245424c31c72e58578191477515df79b503a6e97063986b7994dff9712554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 92366, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 92365, "scanner": "repobility-docker", "fingerprint": "00ecf859b9faad84a3469d431adf8f9141432a61d434bfaad2e19fc77b77a643", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00ecf859b9faad84a3469d431adf8f9141432a61d434bfaad2e19fc77b77a643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 92363, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "evals/codebase-recon/fixtures/non-git-basic/Thumbs.db", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 92355, "scanner": "repobility-threat-engine", "fingerprint": "f696a21006580713231fbe5c95cb370676deda482a83642ed2539644adaa85fe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"replace-me\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f696a21006580713231fbe5c95cb370676deda482a83642ed2539644adaa85fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/tools/shared-cred-hash-match.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 92354, "scanner": "repobility-threat-engine", "fingerprint": "20bf2f963d51989c803dede8a44d024117eb0ecd2f87bddceb541ab8aa961f37", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"replace-me\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20bf2f963d51989c803dede8a44d024117eb0ecd2f87bddceb541ab8aa961f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/tools/entropy-check.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 92340, "scanner": "repobility-threat-engine", "fingerprint": "778f184f8522605b9a918b0a82595254d7be138a0d3fdc6e280d0b0e88796dfc", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|9|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 92339, "scanner": "repobility-threat-engine", "fingerprint": "e802fba8843d63b6dea391011b2ea0a27ac3398272cbe42507e26feaf572e811", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|20|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC017", "level": "warning", "message": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely long inputs to burn through your API credits (a single 128K-token request to GPT-4 costs ~$4, and automated attacks can drain budgets in minutes). (2) Context stuffing \u2014 oversized inputs can push your system prompt out of the context window, effectively disab"}, "properties": {"repobilityId": 92337, "scanner": "repobility-threat-engine", "fingerprint": "08b5527e012c57581bbe5cc9e1ae1f968fdc9c0990fd1065a3a50ac771de29d0", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "evidence": {"reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "fp|08b5527e012c57581bbe5cc9e1ae1f968fdc9c0990fd1065a3a50ac771de29d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 92335, "scanner": "repobility-threat-engine", "fingerprint": "1d406fc5695f4d3c596f9c330092cc4b4d42adcb7b233376cfa59b9e4717ca9b", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (1.4 bits) \u2014 may be placeholder or common string", "evidence": {"match": "api_key = \"<redacted>\"", "reason": "Low entropy value (1.4 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC139", "level": "warning", "message": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica"}, "properties": {"repobilityId": 92330, "scanner": "repobility-threat-engine", "fingerprint": "01a4bc406376cb03689cb80a0274cb7819ad4e23a9b21693c11d2f98ecf1288b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/admin/reload-model\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC139", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01a4bc406376cb03689cb80a0274cb7819ad4e23a9b21693c11d2f98ecf1288b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/server.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 92321, "scanner": "repobility-threat-engine", "fingerprint": "ad6cd4eadd04ad4b128984bf4cc54a2c33f695cd28237629d5b6061cffb85324", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|9|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 92320, "scanner": "repobility-threat-engine", "fingerprint": "b2e47b9fd3fb71dadecec9e95aa3453820875f744a640b8c37dc00b59fc71b58", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|16|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (^4.19.0 -> 5.2.1)"}, "properties": {"repobilityId": 92315, "scanner": "repobility-dependency-currency", "fingerprint": "e426faebc920f666424d92c2f1c3f92249207a21ff4c794987a5a176319eecbf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|e426faebc920f666424d92c2f1c3f92249207a21ff4c794987a5a176319eecbf", "current_version": "^4.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/ts-monorepo/packages/api/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (^4.18.2 -> 5.2.1)"}, "properties": {"repobilityId": 92312, "scanner": "repobility-dependency-currency", "fingerprint": "bc68e30a84fa39d15c9be5353bc36f45e9019a0f53f253eb9ae722fd1751f856", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|bc68e30a84fa39d15c9be5353bc36f45e9019a0f53f253eb9ae722fd1751f856", "current_version": "^4.18.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/fixtures/cs-broken-paths/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/express` is 1 major version(s) behind (^4.17.0 -> 5.0.6)"}, "properties": {"repobilityId": 92310, "scanner": "repobility-dependency-currency", "fingerprint": "dfe17480875febe82b831b075e2cc1e30850a95bc2a124fde391f3452c2377a4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.6", "correlation_key": "fp|dfe17480875febe82b831b075e2cc1e30850a95bc2a124fde391f3452c2377a4", "current_version": "^4.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `dotenv` is 1 major version(s) behind (^16.3.0 -> 17.4.2)"}, "properties": {"repobilityId": 92309, "scanner": "repobility-dependency-currency", "fingerprint": "76a8393354541bf8bdd0b3312473e0ccc5908c930304110953957e46efbd7642", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|76a8393354541bf8bdd0b3312473e0ccc5908c930304110953957e46efbd7642", "current_version": "^16.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (^4.19.0 -> 5.2.1)"}, "properties": {"repobilityId": 92306, "scanner": "repobility-dependency-currency", "fingerprint": "027d13453473c911a5defed9b8e68a71df2de95246264c3a692f953d0f4854fb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|027d13453473c911a5defed9b8e68a71df2de95246264c3a692f953d0f4854fb", "current_version": "^4.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `numpy` has no version pin"}, "properties": {"repobilityId": 92298, "scanner": "repobility-supply-chain", "fingerprint": "28efcd698025901a6218ce257f3957d82870c941bb70c6684c0cd23f2f6a0b26", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28efcd698025901a6218ce257f3957d82870c941bb70c6684c0cd23f2f6a0b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pycryptodome` has no version pin"}, "properties": {"repobilityId": 92297, "scanner": "repobility-supply-chain", "fingerprint": "efaaf7ceda59b56b2dea3c26e52030a5ce59c0c22951687eb10e5f1604e34d3d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|efaaf7ceda59b56b2dea3c26e52030a5ce59c0c22951687eb10e5f1604e34d3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `httpx` has no version pin"}, "properties": {"repobilityId": 92296, "scanner": "repobility-supply-chain", "fingerprint": "41b4e59f147fce5b6d8b6fe96238ac9fb1b03e138fcee2dd99243a9ceb045429", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41b4e59f147fce5b6d8b6fe96238ac9fb1b03e138fcee2dd99243a9ceb045429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `onnx` has no version pin"}, "properties": {"repobilityId": 92295, "scanner": "repobility-supply-chain", "fingerprint": "d4412609b78032a1d6ba560d88d77fc81592b10a6313132463d94a166af6b987", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4412609b78032a1d6ba560d88d77fc81592b10a6313132463d94a166af6b987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `fastapi` has no version pin"}, "properties": {"repobilityId": 92294, "scanner": "repobility-supply-chain", "fingerprint": "bea11cb4e6d821c72b4792ab2846c6ba393a77c4b7ba77f7aac17e26e9b447b0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bea11cb4e6d821c72b4792ab2846c6ba393a77c4b7ba77f7aac17e26e9b447b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92274, "scanner": "repobility-ast-engine", "fingerprint": "84fbc1f7e4fc50b4a3553058b7acf116c57c8a90cee80a889ef7b8b0a110f02a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84fbc1f7e4fc50b4a3553058b7acf116c57c8a90cee80a889ef7b8b0a110f02a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/probes/05_evasion_attack.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92273, "scanner": "repobility-ast-engine", "fingerprint": "432a90529e5c5017f28ca9b2a11eaca41f6cbd4a015ade19c5932e914715460a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|432a90529e5c5017f28ca9b2a11eaca41f6cbd4a015ade19c5932e914715460a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/orchestrator.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92272, "scanner": "repobility-ast-engine", "fingerprint": "31d219ea6a2020471b3e1ad1eeeba82c4acbfc0d3b40b7074f63f9e3b8ad6078", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31d219ea6a2020471b3e1ad1eeeba82c4acbfc0d3b40b7074f63f9e3b8ad6078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/fraud-domain/negative/good_scoring.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92271, "scanner": "repobility-ast-engine", "fingerprint": "bf908c43ae64a845671bbd40b26707db6168f60b7ee1ed3baf741d4e2627793d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf908c43ae64a845671bbd40b26707db6168f60b7ee1ed3baf741d4e2627793d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/fraud-domain/positive/bad_scoring.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92270, "scanner": "repobility-ast-engine", "fingerprint": "81f01308c96b6675fcc819b758d3ffa89591459dceb1e7a04602cd0f0139f7b1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81f01308c96b6675fcc819b758d3ffa89591459dceb1e7a04602cd0f0139f7b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/static-analysis-tools/validate.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 92269, "scanner": "repobility-ast-engine", "fingerprint": "962e72b2b2676f855386697bba92d20f4d686b5f3e26163e94befd8d7456685d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|962e72b2b2676f855386697bba92d20f4d686b5f3e26163e94befd8d7456685d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lib/normalize_findings.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 92367, "scanner": "repobility-docker", "fingerprint": "9e832a5ae211bfd59a2cc7bcb4cc96192acaa8d7ab63ef84071b0b74ee79afef", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9e832a5ae211bfd59a2cc7bcb4cc96192acaa8d7ab63ef84071b0b74ee79afef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `check_install_hints` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=2, if=4, nested_bonus=2."}, "properties": {"repobilityId": 92345, "scanner": "repobility-threat-engine", "fingerprint": "89a834ad1e89cbf0cf94d0cdac5c938306111a3e349f10c16e5ddc9e3151970c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_install_hints", "breakdown": {"if": 4, "for": 2, "continue": 2, "nested_bonus": 2}, "complexity": 10, "correlation_key": "fp|89a834ad1e89cbf0cf94d0cdac5c938306111a3e349f10c16e5ddc9e3151970c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/static-analysis-tools/validate.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `uvicorn` is minor version(s) behind (0.30.0 -> 0.49.0)"}, "properties": {"repobilityId": 92314, "scanner": "repobility-dependency-currency", "fingerprint": "b1c554a930c5f3416cb8994db0172e5a9bbfaeb112c767afe7cd1f7006b0cb00", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uvicorn", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.49.0", "correlation_key": "fp|b1c554a930c5f3416cb8994db0172e5a9bbfaeb112c767afe7cd1f7006b0cb00", "current_version": "0.30.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/polyglot/backend/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `fastapi` is minor version(s) behind (0.111.0 -> 0.136.3)"}, "properties": {"repobilityId": 92313, "scanner": "repobility-dependency-currency", "fingerprint": "95420d13ade271fd4827de3f7ec06feb35c31d32cf29b7eb65ffcaa1d3303f43", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fastapi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.136.3", "correlation_key": "fp|95420d13ade271fd4827de3f7ec06feb35c31d32cf29b7eb65ffcaa1d3303f43", "current_version": "0.111.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/polyglot/backend/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f2c431474f0872214b7e3754ad2dca97aa41b4e4c6bde533ac7a866c64c49aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/dev-team/tools/entropy-check.py", "duplicate_line": 143, "correlation_key": "fp|0f2c431474f0872214b7e3754ad2dca97aa41b4e4c6bde533ac7a866c64c49aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/tools/model-hash-verify.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 92361, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 92357, "scanner": "repobility-threat-engine", "fingerprint": "ead64252d5451bb7f9916aa142e3c61a6575f558cc0bb45a661ab841ab647074", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ead64252d5451bb7f9916aa142e3c61a6575f558cc0bb45a661ab841ab647074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/tools/shared-cred-hash-match.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 92356, "scanner": "repobility-threat-engine", "fingerprint": "f4ed1bed8d924a1c012a185a225eeb949a39ea8fd79ab5ca4abfdf769161573b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4ed1bed8d924a1c012a185a225eeb949a39ea8fd79ab5ca4abfdf769161573b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/tools/entropy-check.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 92351, "scanner": "repobility-threat-engine", "fingerprint": "898f157986d8c917c7e43cf024ec1be0f5b1b82c1cdf2456a75b566a37d95068", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|898f157986d8c917c7e43cf024ec1be0f5b1b82c1cdf2456a75b566a37d95068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/tools/service-comm-parser.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 92350, "scanner": "repobility-threat-engine", "fingerprint": "87499ef92e881f70a6df83f8999fdfa987c47c884e0a3710898374c234171f3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87499ef92e881f70a6df83f8999fdfa987c47c884e0a3710898374c234171f3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/upgrade-migration/migrate.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 92346, "scanner": "repobility-threat-engine", "fingerprint": "092cdd33b76850098954fe20da57aa3bb40a664e57be08030f171bd42e534eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_result", "breakdown": {"if": 15, "or": 8, "and": 1, "elif": 1, "ternary": 4, "nested_bonus": 14}, "aggregated": true, "complexity": 43, "correlation_key": "fp|092cdd33b76850098954fe20da57aa3bb40a664e57be08030f171bd42e534eec", "aggregated_count": 26}}}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 92338, "scanner": "repobility-threat-engine", "fingerprint": "0afd48716e0342e0ddc8533902eda819e0c32959333afd63242c4203afad298d", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|8|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/ml-patterns/negative/good_loading.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 92334, "scanner": "repobility-threat-engine", "fingerprint": "641933ddb4f62cfb8c8323a866072551b395bc2f7295c37cbc9e1d94e74dae7b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|641933ddb4f62cfb8c8323a866072551b395bc2f7295c37cbc9e1d94e74dae7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 92333, "scanner": "repobility-threat-engine", "fingerprint": "7279aa8a34501c16bc8f6acfd29e9fbacf2386828a1f8aa090616c00c6f32011", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7279aa8a34501c16bc8f6acfd29e9fbacf2386828a1f8aa090616c00c6f32011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED084", "level": "none", "message": {"text": "[MINED084] Cbc No Mac: AES.new(..., MODE_CBC) without authenticated encryption \u2014 vulnerable to padding-oracle attacks."}, "properties": {"repobilityId": 92328, "scanner": "repobility-threat-engine", "fingerprint": "22bcb1dce0e88044ba1ff576c292214f38dee20deae99476f581bdecb0b174ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cbc-no-mac", "owasp": "A02:2021", "cwe_ids": ["CWE-310", "CWE-326"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348134+00:00", "triaged_in_corpus": 12, "observations_count": 1546, "ai_coder_pattern_id": 40}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22bcb1dce0e88044ba1ff576c292214f38dee20deae99476f581bdecb0b174ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED084", "level": "none", "message": {"text": "[MINED084] Cbc No Mac: AES.new(..., MODE_CBC) without authenticated encryption \u2014 vulnerable to padding-oracle attacks."}, "properties": {"repobilityId": 92327, "scanner": "repobility-threat-engine", "fingerprint": "7f47a91dd3cdc63268fadbb0e44f4474fd613c9045bb0b622263c92137b26650", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cbc-no-mac", "owasp": "A02:2021", "cwe_ids": ["CWE-310", "CWE-326"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348134+00:00", "triaged_in_corpus": 12, "observations_count": 1546, "ai_coder_pattern_id": 40}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f47a91dd3cdc63268fadbb0e44f4474fd613c9045bb0b622263c92137b26650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 92319, "scanner": "repobility-threat-engine", "fingerprint": "2139129d259ecdbb133be97c3d6baa4fa33ea8250910f9dc55a0a56789026a5b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2139129d259ecdbb133be97c3d6baa4fa33ea8250910f9dc55a0a56789026a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/src/server.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `jsonwebtoken` is patch version(s) behind (^9.0.0 -> 9.0.3)"}, "properties": {"repobilityId": 92316, "scanner": "repobility-dependency-currency", "fingerprint": "565e33c3c3ea65db4e03175eded0c8261df4dc7ebb71a618758420990114b58f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsonwebtoken", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.3", "correlation_key": "fp|565e33c3c3ea65db4e03175eded0c8261df4dc7ebb71a618758420990114b58f", "current_version": "^9.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/ts-monorepo/packages/api/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `ts-node` is patch version(s) behind (^10.9.0 -> 10.9.2)"}, "properties": {"repobilityId": 92311, "scanner": "repobility-dependency-currency", "fingerprint": "d5c8d2df0c4ac52ab7d59b87eb6ad7bbdbd018fe51c6827e75eec3fea164cc70", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ts-node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.9.2", "correlation_key": "fp|d5c8d2df0c4ac52ab7d59b87eb6ad7bbdbd018fe51c6827e75eec3fea164cc70", "current_version": "^10.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `node-fetch` is patch version(s) behind (^3.3.0 -> 3.3.2)"}, "properties": {"repobilityId": 92308, "scanner": "repobility-dependency-currency", "fingerprint": "a7857cdbe4eecb7f9d04dabc73617c5b99128e38e3cb6812e842a1eed778b077", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-fetch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.2", "correlation_key": "fp|a7857cdbe4eecb7f9d04dabc73617c5b99128e38e3cb6812e842a1eed778b077", "current_version": "^3.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `jsonwebtoken` is patch version(s) behind (^9.0.0 -> 9.0.3)"}, "properties": {"repobilityId": 92307, "scanner": "repobility-dependency-currency", "fingerprint": "cb173291222ecbdab00dfea03027f4db56fabd497d1522e42932dfef67cab1fe", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsonwebtoken", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.3", "correlation_key": "fp|cb173291222ecbdab00dfea03027f4db56fabd497d1522e42932dfef67cab1fe", "current_version": "^9.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-110", "level": "error", "message": {"text": "scikit-learn: PYSEC-2024-110"}, "properties": {"repobilityId": 92374, "scanner": "osv-scanner", "fingerprint": "b5a0173cc3d3813d65d79ee2767234cb8ff97ae7b9f5d99d4b656b67f8e177ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-5206", "GHSA-jw8x-6495-233v"], "package": "scikit-learn", "rule_id": "PYSEC-2024-110", "scanner": "osv-scanner", "correlation_key": "vuln|scikit-learn|CVE-2024-5206|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jw8x-6495-233v", "PYSEC-2024-110"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["896a69eeb676d2fc192772db7aa3e0bebc698602e500e3a192e74948f4e94651", "b5a0173cc3d3813d65d79ee2767234cb8ff97ae7b9f5d99d4b656b67f8e177ea"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 92368, "scanner": "repobility-docker", "fingerprint": "26297e5d8e68632368adaa63e12712d6ebec0bc06fdaa0c4a119dac68f0be7cd", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|26297e5d8e68632368adaa63e12712d6ebec0bc06fdaa0c4a119dac68f0be7cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 92364, "scanner": "repobility-docker", "fingerprint": "a09d6b8de84445765f7564a4c8e3ece72df77c71aacbbc5cbdbcfbaa46435229", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a09d6b8de84445765f7564a4c8e3ece72df77c71aacbbc5cbdbcfbaa46435229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 92362, "scanner": "repobility-threat-engine", "fingerprint": "d1342bcaf812ba38c1c6a1af6419eaa8c090469feb1683e30db165aea927e8b9", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"\\b([A-Z]{1,4}-[CHML]-\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|155|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/scripts/verify-report.sh"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92360, "scanner": "repobility-threat-engine", "fingerprint": "3d25091905b52a3b935c0e9fab3874167983c27474efc601bffe629d9793cbb4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "result_store.save(\"02_schema\", result)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d25091905b52a3b935c0e9fab3874167983c27474efc601bffe629d9793cbb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/probes/02_schema_discovery.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92359, "scanner": "repobility-threat-engine", "fingerprint": "65aa571a0e21c5251b5e188f8503abe08420ac0f193ded344cbfb631fce24502", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "result_store.save(\"01_recon\", findings)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65aa571a0e21c5251b5e188f8503abe08420ac0f193ded344cbfb631fce24502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/probes/01_api_recon.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92358, "scanner": "repobility-threat-engine", "fingerprint": "f0e7ba359ad2c9160458a8742bf6f56112d307e967f2d4d8d85bdb28f75accfb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "h.update(block)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0e7ba359ad2c9160458a8742bf6f56112d307e967f2d4d8d85bdb28f75accfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/tools/model-hash-verify.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 92353, "scanner": "repobility-threat-engine", "fingerprint": "afcf11b51a302e4427aca0a8fe1922cb8251d2d2949af5abadbd789c293789b0", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|175|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/skills/static-analysis-integration/adapters/security-review-adapter.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 92352, "scanner": "repobility-threat-engine", "fingerprint": "4b957536f6709e45a61179709b188f59df4277666b871411bef53c11da94cda8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b957536f6709e45a61179709b188f59df4277666b871411bef53c11da94cda8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/hooks/destructive-guard.sh"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 92349, "scanner": "repobility-threat-engine", "fingerprint": "4013bc4251409514fbdd794b15b2bf0165580cdd61382aaa9fd68823a51eb6c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4013bc4251409514fbdd794b15b2bf0165580cdd61382aaa9fd68823a51eb6c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/upgrade-migration/migrate.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 92348, "scanner": "repobility-threat-engine", "fingerprint": "f9a147d659f0f52db7714e5fd23973f68aa9392a334c6802bbfcfd00f522d65c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9a147d659f0f52db7714e5fd23973f68aa9392a334c6802bbfcfd00f522d65c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/tools/service-comm-parser.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 92347, "scanner": "repobility-threat-engine", "fingerprint": "ada1bfba1547a23ecd984e81c1c4682fce9d61c260e260b15d18a62404358518", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ada1bfba1547a23ecd984e81c1c4682fce9d61c260e260b15d18a62404358518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/upgrade-migration/migrate.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=4, except=1, for=4, if=6, nested_bonus=12."}, "properties": {"repobilityId": 92344, "scanner": "repobility-threat-engine", "fingerprint": "68b1dc444aedf581e0a72a9da5a91fe9f0ccac49bae07551f18d22f56be16b5e", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 27 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 6, "for": 4, "except": 1, "continue": 4, "nested_bonus": 12}, "complexity": 27, "correlation_key": "fp|68b1dc444aedf581e0a72a9da5a91fe9f0ccac49bae07551f18d22f56be16b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/static-analysis-tools/validate.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_result` has cognitive complexity 43 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, elif=1, if=15, nested_bonus=14, or=8, ternary=4."}, "properties": {"repobilityId": 92343, "scanner": "repobility-threat-engine", "fingerprint": "90f0a52a9c60c97be4e6f82d38a8f6bc6ff3980703913dda7f6a8689a97e5fc7", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 43 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_result", "breakdown": {"if": 15, "or": 8, "and": 1, "elif": 1, "ternary": 4, "nested_bonus": 14}, "complexity": 43, "correlation_key": "fp|90f0a52a9c60c97be4e6f82d38a8f6bc6ff3980703913dda7f6a8689a97e5fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/static-analysis-tools/validate.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC016", "level": "error", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 92336, "scanner": "repobility-threat-engine", "fingerprint": "61b1d1eb4ad763e2d6f86a13bdd693370c0708cafb2d6580082d2a8c78084d52", "category": "llm_injection", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "evidence": {"match": "prompt = f\"You are an assistant. User asked: {user_input", "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "fp|61b1d1eb4ad763e2d6f86a13bdd693370c0708cafb2d6580082d2a8c78084d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 92332, "scanner": "repobility-threat-engine", "fingerprint": "45801f426e6e2277313d927dde3e068be355f34018c22e54a256da6dc4612356", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45801f426e6e2277313d927dde3e068be355f34018c22e54a256da6dc4612356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 92331, "scanner": "repobility-threat-engine", "fingerprint": "e8800933536075f5b438ba59556ba3130427c1c76a837763ce18660604d3f186", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8800933536075f5b438ba59556ba3130427c1c76a837763ce18660604d3f186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 92329, "scanner": "repobility-threat-engine", "fingerprint": "058e7cffdca5544f32204694ac26540d9b493722a4da77e77e0ca667d4bc3edc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|058e7cffdca5544f32204694ac26540d9b493722a4da77e77e0ca667d4bc3edc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/logging_config.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 92326, "scanner": "repobility-threat-engine", "fingerprint": "c85d0d707f76f56d06cec0d8b4040e56a31e92368a9bfb0d2b6258c8e44835bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c85d0d707f76f56d06cec0d8b4040e56a31e92368a9bfb0d2b6258c8e44835bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 92325, "scanner": "repobility-threat-engine", "fingerprint": "76f00e762ef5f5deb29c84bb1309ded9af42f79c90b706aa72de4a1ddcf6d291", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76f00e762ef5f5deb29c84bb1309ded9af42f79c90b706aa72de4a1ddcf6d291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 92324, "scanner": "repobility-threat-engine", "fingerprint": "15a53dfe671ad6c69f988f0e642af4cf711671dd2e3bd5cbadf9421ba0ecc048", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15a53dfe671ad6c69f988f0e642af4cf711671dd2e3bd5cbadf9421ba0ecc048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/dev-team/hooks/tdd-guard.sh"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 92323, "scanner": "repobility-threat-engine", "fingerprint": "a6669990357ed76bd2985b04b82bcf99880ba23fd12944462ecbfb0626c7700c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6669990357ed76bd2985b04b82bcf99880ba23fd12944462ecbfb0626c7700c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 92322, "scanner": "repobility-threat-engine", "fingerprint": "f082eeb8d0f9b31631cc686865177a2420e5e1b60e6e090bbacc7f1655657782", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f082eeb8d0f9b31631cc686865177a2420e5e1b60e6e090bbacc7f1655657782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 92318, "scanner": "repobility-threat-engine", "fingerprint": "61abdfefc74612af14e62da5958e6e5521e817022cff8a7394ab42df167559dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/admin/reload-model\")\nasync def admin_reload_model()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61abdfefc74612af14e62da5958e6e5521e817022cff8a7394ab42df167559dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/server.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 92317, "scanner": "repobility-threat-engine", "fingerprint": "0a34dbbb8968d1113d9b9ed32b81206d767c194dd00735660b4214442857aa8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/score\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a34dbbb8968d1113d9b9ed32b81206d767c194dd00735660b4214442857aa8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/src/server.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92305, "scanner": "repobility-supply-chain", "fingerprint": "3e167963726851b55e42664f823ccc71c46989df9902b3041beb1d0782b873c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e167963726851b55e42664f823ccc71c46989df9902b3041beb1d0782b873c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/plugin-tests.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `googleapis/release-please-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92304, "scanner": "repobility-supply-chain", "fingerprint": "f3011c5695f4a64461203957b3d2acd6019d18e8027286a1995730167ce3bbd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3011c5695f4a64461203957b3d2acd6019d18e8027286a1995730167ce3bbd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-please.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92303, "scanner": "repobility-supply-chain", "fingerprint": "c030d3965caedd4861fd7b5be0a5eb38aaf3342f3442f15ab7781fc8ca4180ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c030d3965caedd4861fd7b5be0a5eb38aaf3342f3442f15ab7781fc8ca4180ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/ts-monorepo/.github/workflows/ci.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92302, "scanner": "repobility-supply-chain", "fingerprint": "1cd12f7b0ed22680043942751a4ca76bd6f7b40640c120c214a9c9a9f020f441", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cd12f7b0ed22680043942751a4ca76bd6f7b40640c120c214a9c9a9f020f441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/ts-monorepo/.github/workflows/ci.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92301, "scanner": "repobility-supply-chain", "fingerprint": "1e1cea6d0f0a980dec1f098a735b04e42eea150816acc7d9ee92c2168ad9428c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e1cea6d0f0a980dec1f098a735b04e42eea150816acc7d9ee92c2168ad9428c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/.github/workflows/ci.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 92300, "scanner": "repobility-supply-chain", "fingerprint": "e8dae657885b40b382e48677b2e4d612829232400534f236c8dfbdee083fdc38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8dae657885b40b382e48677b2e4d612829232400534f236c8dfbdee083fdc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/.github/workflows/ci.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 92299, "scanner": "repobility-supply-chain", "fingerprint": "5fe3e6aefb3a95851a52eab2e8c8f58c48cd076b05ac670d90588e9f85cc1c3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fe3e6aefb3a95851a52eab2e8c8f58c48cd076b05ac670d90588e9f85cc1c3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/.github/workflows/ci.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.10-slim` not pinned by digest"}, "properties": {"repobilityId": 92293, "scanner": "repobility-supply-chain", "fingerprint": "ed57d7fc43a21b021434ec6b9a5fde457b5c0ffe17c35e2763cbd9b40c23060d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed57d7fc43a21b021434ec6b9a5fde457b5c0ffe17c35e2763cbd9b40c23060d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.10` not pinned by digest"}, "properties": {"repobilityId": 92292, "scanner": "repobility-supply-chain", "fingerprint": "13c348a47c9390b243a43f77f90d037acf29178bb40d5e8aeda63152d762e4a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13c348a47c9390b243a43f77f90d037acf29178bb40d5e8aeda63152d762e4a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20-slim` not pinned by digest"}, "properties": {"repobilityId": 92291, "scanner": "repobility-supply-chain", "fingerprint": "90be864f42319f220dfcdc0f4cb707d2e9722357ef5b7e75158112ac50a60eb3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90be864f42319f220dfcdc0f4cb707d2e9722357ef5b7e75158112ac50a60eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20` not pinned by digest"}, "properties": {"repobilityId": 92290, "scanner": "repobility-supply-chain", "fingerprint": "5e647510d41e7e4acb0be8773377ee76169f6bef02ceb7c864e8721b2ec7a188", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e647510d41e7e4acb0be8773377ee76169f6bef02ceb7c864e8721b2ec7a188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /events has no auth"}, "properties": {"repobilityId": 92289, "scanner": "repobility-route-auth", "fingerprint": "809e999927672e7bdf40351ae49955416ce5d83adf8d587aeacda90b3eaca727", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|809e999927672e7bdf40351ae49955416ce5d83adf8d587aeacda90b3eaca727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /score has no auth"}, "properties": {"repobilityId": 92288, "scanner": "repobility-route-auth", "fingerprint": "2c0a1b88959b309ca07ed53495f72aad3cf81b1740fbf7e3595155fbb9724d25", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2c0a1b88959b309ca07ed53495f72aad3cf81b1740fbf7e3595155fbb9724d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/auth-gateway/src/server.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/users/:id has no auth"}, "properties": {"repobilityId": 92287, "scanner": "repobility-route-auth", "fingerprint": "ef5b82d41071864e5c14a684017caa5717bf3fb141367896e7b7cec55ad3104f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ef5b82d41071864e5c14a684017caa5717bf3fb141367896e7b7cec55ad3104f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/fixtures/sec-sql-injection.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/login has no auth"}, "properties": {"repobilityId": 92286, "scanner": "repobility-route-auth", "fingerprint": "870885ecc2425c933d2886ad2dbacfcefbecf9a708fc41edf5add925f1088934", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|870885ecc2425c933d2886ad2dbacfcefbecf9a708fc41edf5add925f1088934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/fixtures/sec-sql-injection.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /ingest has no auth"}, "properties": {"repobilityId": 92285, "scanner": "repobility-route-auth", "fingerprint": "bf31ab5cdc3b6fd91e97820c6c6660dc6441e6cde431f54996fa09f432bc77fd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bf31ab5cdc3b6fd91e97820c6c6660dc6441e6cde431f54996fa09f432bc77fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/codebase-recon/fixtures/polyglot/backend/app.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /predict has no auth"}, "properties": {"repobilityId": 92284, "scanner": "repobility-route-auth", "fingerprint": "f6d124029451cc3206095154667338262a85f6cf00a089c8f25dfab9a38e7ad6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|f6d124029451cc3206095154667338262a85f6cf00a089c8f25dfab9a38e7ad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/server.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._request` used but never assigned in __init__"}, "properties": {"repobilityId": 92282, "scanner": "repobility-ast-engine", "fingerprint": "60bd1976d2448ed15c4e8d254f3bfac096508c31c56bddbfa018bc4e09305534", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60bd1976d2448ed15c4e8d254f3bfac096508c31c56bddbfa018bc4e09305534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._request` used but never assigned in __init__"}, "properties": {"repobilityId": 92281, "scanner": "repobility-ast-engine", "fingerprint": "f55e6d462b8a695c088ed7c2d29d095f368a6d0df9251a8d056b33461621233c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f55e6d462b8a695c088ed7c2d29d095f368a6d0df9251a8d056b33461621233c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._request` used but never assigned in __init__"}, "properties": {"repobilityId": 92280, "scanner": "repobility-ast-engine", "fingerprint": "75c717aa3c5c0b766277e7f6143b9db1f9725cef817b9171b7c3a9fa2e2e281c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75c717aa3c5c0b766277e7f6143b9db1f9725cef817b9171b7c3a9fa2e2e281c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._audit` used but never assigned in __init__"}, "properties": {"repobilityId": 92279, "scanner": "repobility-ast-engine", "fingerprint": "2a6ab70c1f4335f4245435514ff9cdbe87d74b16b3fbb3a74d1f08b7104f9478", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a6ab70c1f4335f4245435514ff9cdbe87d74b16b3fbb3a74d1f08b7104f9478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._audit` used but never assigned in __init__"}, "properties": {"repobilityId": 92278, "scanner": "repobility-ast-engine", "fingerprint": "224e25111552d661b911726ad9b6a2f417adae89035b3de1643a2f7b43d87488", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|224e25111552d661b911726ad9b6a2f417adae89035b3de1643a2f7b43d87488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._ensure_session` used but never assigned in __init__"}, "properties": {"repobilityId": 92277, "scanner": "repobility-ast-engine", "fingerprint": "7fea7d6a270ef79baad18ccabdd0911fa7db4cb1f64dd671887a51146d07ca8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7fea7d6a270ef79baad18ccabdd0911fa7db4cb1f64dd671887a51146d07ca8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_rate_limit` used but never assigned in __init__"}, "properties": {"repobilityId": 92276, "scanner": "repobility-ast-engine", "fingerprint": "3045284eb4fcdcb4c05b9cc9d926e3316abba9c1a193dea3331e2c5658875a10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3045284eb4fcdcb4c05b9cc9d926e3316abba9c1a193dea3331e2c5658875a10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._check_budget` used but never assigned in __init__"}, "properties": {"repobilityId": 92275, "scanner": "repobility-ast-engine", "fingerprint": "1a96d7af1f15d46d5be1377b602a72d85183089c8389f4e6432f10a1cbf293c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a96d7af1f15d46d5be1377b602a72d85183089c8389f4e6432f10a1cbf293c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/security-assessment/harness/redteam/lib/http_client.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 92373, "scanner": "gitleaks", "fingerprint": "b4dbbff1e2eefaf89ccb0268dd949813a6d6b253fbc13811176a0dd1434055aa", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/fixtures/sec-hardcoded-secrets.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 92372, "scanner": "gitleaks", "fingerprint": "bef44fb5dfdef9838ac3f535ba495756ce632821f75465008a08f38b3b4973c8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "TEST_JWT_SECRET = \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|test_jwt_secret redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/tests/test_scorer.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 92371, "scanner": "gitleaks", "fingerprint": "c4c680ce3a761833a23881a01c751b7a837d91da5073b55c6d23d9c7039c8af0", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "TEST_API_KEY = \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|test_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/tests/test_scorer.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 92370, "scanner": "gitleaks", "fingerprint": "602e0539ccc18430380f18a58d9f721924e57c7c0f6fa515b5f2d1c092c6b6ba", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "WEBHOOK_TOKEN=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|webhook_token redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["26f1fd2c05da7d38b5b271f655b36c8d04970dbe615f128d4ad0880e44f72931", "602e0539ccc18430380f18a58d9f721924e57c7c0f6fa515b5f2d1c092c6b6ba"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/custom-tools/entropy-check/fixture/.env.staging"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 92342, "scanner": "repobility-threat-engine", "fingerprint": "4cb64e81dd8c0c3b598e86c1a7028d525a41eca5a9f1e0b1be0b6c56b7e684f7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cb64e81dd8c0c3b598e86c1a7028d525a41eca5a9f1e0b1be0b6c56b7e684f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 92341, "scanner": "repobility-threat-engine", "fingerprint": "16a74de484f8bf58c3381dd53cf3a4b72844f25d5153dc2bac8d5924ff29cc38", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16a74de484f8bf58c3381dd53cf3a4b72844f25d5153dc2bac8d5924ff29cc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/reload-model"}, "properties": {"repobilityId": 92283, "scanner": "repobility-route-auth", "fingerprint": "a780fba51c3e184757ee658eb01fa7eee0074632c53d22c50fb9bd91220042a2", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|a780fba51c3e184757ee658eb01fa7eee0074632c53d22c50fb9bd91220042a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/comparative/fixture-repo/services/fraud-scoring/src/server.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `warnings` used but not imported"}, "properties": {"repobilityId": 92268, "scanner": "repobility-ast-engine", "fingerprint": "a7a8d95cd7c910ded606786cabfbedc6c080f4af1b5e1f9d5de4eaa31178991a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7a8d95cd7c910ded606786cabfbedc6c080f4af1b5e1f9d5de4eaa31178991a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lib/apply_accepted_risks.py"}, "region": {"startLine": 211}}}]}]}]}