{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /p"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 31.6% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 50 more): Same pattern found in 50 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1247"}, "properties": {"repository": "lingdojo/kana-dojo", "repoUrl": "https://github.com/lingdojo/kana-dojo", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125966, "scanner": "repobility-journey-contract", "fingerprint": "b04242526516cd4ba82d7196ac6255be77a02469405feba326e09e90e10eef9f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/indexnow", "correlation_key": "fp|b04242526516cd4ba82d7196ac6255be77a02469405feba326e09e90e10eef9f", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/indexnow.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125965, "scanner": "repobility-journey-contract", "fingerprint": "63f413516e1c2da24fe3617ed0b0d791e3b847b83d03e4ef37ece92efb88a020", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/indexnow", "correlation_key": "fp|63f413516e1c2da24fe3617ed0b0d791e3b847b83d03e4ef37ece92efb88a020", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/indexnow.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125964, "scanner": "repobility-journey-contract", "fingerprint": "6a534740e523f33639af63e2bb8e73b61d39d10dd92f151c2b43fd110641c8d8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/facts", "correlation_key": "fp|6a534740e523f33639af63e2bb8e73b61d39d10dd92f151c2b43fd110641c8d8", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/ui-composite/misc/RandomFact.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125963, "scanner": "repobility-journey-contract", "fingerprint": "41ab920a2fa85c5fd15a4f2241c6c9541e017eb7871bddf8527b5be58d19e347", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/facts", "correlation_key": "fp|41ab920a2fa85c5fd15a4f2241c6c9541e017eb7871bddf8527b5be58d19e347", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/ui-composite/Performance/SessionPrefetch.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125962, "scanner": "repobility-journey-contract", "fingerprint": "d7a89ab28d88bae1c3e4a8c693b903a09ca5031995e1150b1e4c91372e26260c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/trivia", "correlation_key": "fp|d7a89ab28d88bae1c3e4a8c693b903a09ca5031995e1150b1e4c91372e26260c", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/hooks/game/useTrivia.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125961, "scanner": "repobility-journey-contract", "fingerprint": "cb65906f482374a27d36666bcb445207284f8a5ed4a781acf539ce949b4de871", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/analyze-text", "correlation_key": "fp|cb65906f482374a27d36666bcb445207284f8a5ed4a781acf539ce949b4de871", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw.js"}, "region": {"startLine": 114}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125960, "scanner": "repobility-journey-contract", "fingerprint": "d3e7840a9e35b9f769a0134e660f0a1fede928be61c011c2ed2612c7f9ad675c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/translate", "correlation_key": "fp|d3e7840a9e35b9f769a0134e660f0a1fede928be61c011c2ed2612c7f9ad675c", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125959, "scanner": "repobility-journey-contract", "fingerprint": "b781dbb0ccfa755d5f61c2728aae923beeb32f688f9d286ef125349004e38f81", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/facts", "correlation_key": "fp|b781dbb0ccfa755d5f61c2728aae923beeb32f688f9d286ef125349004e38f81", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "next.config.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125958, "scanner": "repobility-journey-contract", "fingerprint": "3b59d9e2a585d38bca5da0ac422da72696e16228e55e9e8e6032b02566faded8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/translate", "correlation_key": "fp|3b59d9e2a585d38bca5da0ac422da72696e16228e55e9e8e6032b02566faded8", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Translator/services/translationAPI.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 125957, "scanner": "repobility-journey-contract", "fingerprint": "3a80e4c1c43b6e3261ec2560a69f9dce27a54921b4f78e6e0c609386c1aa1a81", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/analyze-text", "correlation_key": "fp|3a80e4c1c43b6e3261ec2560a69f9dce27a54921b4f78e6e0c609386c1aa1a81", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Translator/services/textAnalysisAPI.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /progress-sync/route."}, "properties": {"repobilityId": 125956, "scanner": "repobility-access-control", "fingerprint": "840740962c35dc9df482b0a4fd65668f5bb5128aa5d1512b623b7ef9715e17d4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/progress-sync/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|253|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/progress-sync/route.ts"}, "region": {"startLine": 253}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /progress-sync/route."}, "properties": {"repobilityId": 125955, "scanner": "repobility-access-control", "fingerprint": "2caafb791ced4c91c1d624cf41804b8fafa79f11c37ba02cd3ebad4cc7c8c81d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/progress-sync/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|195|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/progress-sync/route.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /now/route."}, "properties": {"repobilityId": 125954, "scanner": "repobility-access-control", "fingerprint": "d4f9362ef3677ad6eeaa8bec4e869d482753e20b7be20a9d3fa28d2564b772e9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/now/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|app/api/indexnow/route.ts|119|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/indexnow/route.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /now/route."}, "properties": {"repobilityId": 125953, "scanner": "repobility-access-control", "fingerprint": "ff7518fd9b9748ccc5ee717931ddad6be156f944eec38b838388321394714e57", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/now/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|app/api/indexnow/route.ts|24|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/indexnow/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /analyze-text/route."}, "properties": {"repobilityId": 125952, "scanner": "repobility-access-control", "fingerprint": "22f6c04b1846cb266f0d3dfa747166e940fd82013681fcacefaa3ce69bfa6242", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/analyze-text/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|178|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/analyze-text/route.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /trivia/route."}, "properties": {"repobilityId": 125951, "scanner": "repobility-access-control", "fingerprint": "4ae99856986d7b7fd950d90df4bf73a697dc0f40c6ed69dad863261cc728e908", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/trivia/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|app/api/trivia/route.ts|60|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/trivia/route.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /trigger-thanos-community-content/route."}, "properties": {"repobilityId": 125950, "scanner": "repobility-access-control", "fingerprint": "b705e2053742114f66d7328366e718620517f5f29c0da97741e26d3adad33aaa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/trigger-thanos-community-content/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|22|auc009", "duplicate_count": 1, "identity_targets": ["authenticated"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["b705e2053742114f66d7328366e718620517f5f29c0da97741e26d3adad33aaa", "b95af182dc0b4c69953e745b3f6d6acb770485856aad12e2fa1e558ba86e1d76"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/trigger-thanos-community-content/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /security.txt."}, "properties": {"repobilityId": 125949, "scanner": "repobility-access-control", "fingerprint": "8465fdba1a8c6b9d48db133d4b2f70369b4bf947a9acfa964d38d710e3baf81b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/security.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|app/security.txt/route.ts|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/security.txt/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.txt."}, "properties": {"repobilityId": 125948, "scanner": "repobility-access-control", "fingerprint": "2c6be89746982a13556451fe16b78e203f7d9a2a24c95862296df94cbde94733", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|app/llms.txt/route.ts|5|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/llms.txt/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 125947, "scanner": "repobility-access-control", "fingerprint": "6523168790890fc41dc43c798d08e8c01e0e24a6ba935e861c903a03aa468f63", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 19, "correlation_key": "fp|6523168790890fc41dc43c798d08e8c01e0e24a6ba935e861c903a03aa468f63", "auth_visible_percent": 31.6}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 125946, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 125943, "scanner": "repobility-docker", "fingerprint": "c8eaae15bf125a0bf56e6ce5234bc280fba61e9118853640cbe29548e77dd062", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c8eaae15bf125a0bf56e6ce5234bc280fba61e9118853640cbe29548e77dd062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 125941, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 125900, "scanner": "repobility-threat-engine", "fingerprint": "691f261fd03e56ba826eafa2741071bc4b5af02c6da65efa5812e19d0d75d513", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 4 + 6,\n    };\n  });\n\n  if (!isMounted) return null;\n\n  return (\n    <div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|691f261fd03e56ba826eafa2741071bc4b5af02c6da65efa5812e19d0d75d513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Experiments/components/KanaZen.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 125899, "scanner": "repobility-threat-engine", "fingerprint": "0f7b0af07cf1901ca02ab4d8ff844f74bf672c27e8a8f18383b886d7cd8d9c31", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random(),\n            }}\n          />\n        ))}\n      </div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f7b0af07cf1901ca02ab4d8ff844f74bf672c27e8a8f18383b886d7cd8d9c31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Experiments/components/KanaNebula.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 125898, "scanner": "repobility-threat-engine", "fingerprint": "2572f4a5e52dfa06d4ddf95f2d3225e96bdd4d1a007a05646352e3a4a7627f11", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 5}s`,\n            }}\n          />\n        ))}\n      </div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2572f4a5e52dfa06d4ddf95f2d3225e96bdd4d1a007a05646352e3a4a7627f11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Experiments/components/Hanabi.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 125894, "scanner": "repobility-threat-engine", "fingerprint": "337e38e9d6e5fe9941c678febdf2453dadb925628301867601fa91e27bbfb5d2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function () {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|337e38e9d6e5fe9941c678febdf2453dadb925628301867601fa91e27bbfb5d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/layout.tsx"}, "region": {"startLine": 193}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 125967, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 125945, "scanner": "repobility-docker", "fingerprint": "8015344d2fb5561be5c322649ff279646806967ec5964ded6d331265c57bf6a5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8015344d2fb5561be5c322649ff279646806967ec5964ded6d331265c57bf6a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 125944, "scanner": "repobility-docker", "fingerprint": "9844dd59b3559acc412659092c1bd8a82ed81580ee226b6899f2e3c1a60c4761", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9844dd59b3559acc412659092c1bd8a82ed81580ee226b6899f2e3c1a60c4761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0f6af9e03c1e1cffd431c1fcb1b6e0e12467363db8bbe75f35e4591b6373a10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/kana/blitz/page.tsx", "duplicate_line": 2, "correlation_key": "fp|b0f6af9e03c1e1cffd431c1fcb1b6e0e12467363db8bbe75f35e4591b6373a10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/kanji/gauntlet/page.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fbb4f879844bf64fba174f3aea4c39a0b41be497cba9c52f236cbba04e238d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/kana/blitz/page.tsx", "duplicate_line": 2, "correlation_key": "fp|6fbb4f879844bf64fba174f3aea4c39a0b41be497cba9c52f236cbba04e238d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/kanji/blitz/page.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125937, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d99004859b21d146d20f30eb0bca8419c6152c494f088d2ecfe65c22cbd5feaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/kana/blitz/page.tsx", "duplicate_line": 7, "correlation_key": "fp|d99004859b21d146d20f30eb0bca8419c6152c494f088d2ecfe65c22cbd5feaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/kana/train/timed/page.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125936, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b53862b453bdfa1d7968b83cb0a9a345492e36b225d85c71e58fc046e976b85", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/preferences/page.tsx", "duplicate_line": 2, "correlation_key": "fp|6b53862b453bdfa1d7968b83cb0a9a345492e36b225d85c71e58fc046e976b85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/kana/train/timed/page.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125935, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab032bb406afc5a9a1c12a3c37a78eb7b9605e4fc094c6dcaa98a3c90749518e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/kana/blitz/page.tsx", "duplicate_line": 2, "correlation_key": "fp|ab032bb406afc5a9a1c12a3c37a78eb7b9605e4fc094c6dcaa98a3c90749518e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/kana/gauntlet/page.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125934, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64195e43780fae8750d35b2e281d6c8cfe3af266a360977d39db26e6f82ee0f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/about/page.tsx", "duplicate_line": 221, "correlation_key": "fp|64195e43780fae8750d35b2e281d6c8cfe3af266a360977d39db26e6f82ee0f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/credits/page.tsx"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125933, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93e3bd4a7759396d438f7db4cb9db63ad0dfddb852b05528021d99b384b06dc3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx", "duplicate_line": 28, "correlation_key": "fp|93e3bd4a7759396d438f7db4cb9db63ad0dfddb852b05528021d99b384b06dc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/page.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125932, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca11f4b831d0535d6f20fd13666a561e406d7b742864c526601d8c47849b2ea2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kana/page.tsx", "duplicate_line": 7, "correlation_key": "fp|ca11f4b831d0535d6f20fd13666a561e406d7b742864c526601d8c47849b2ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125931, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b810a7cb0e2b748b8c017a1bf33be9ff51e5faf20caa157bad91b76f1094d53", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 7, "correlation_key": "fp|3b810a7cb0e2b748b8c017a1bf33be9ff51e5faf20caa157bad91b76f1094d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n5/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125930, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9121a6673613782eaa815a15ddefbd1e383f5fae458939e104d9d2d5a2b68f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|c9121a6673613782eaa815a15ddefbd1e383f5fae458939e104d9d2d5a2b68f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n5/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125929, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc7bb0283244e0ecb9fb7912f3423e6547da20dc6ef98a3cb0a5b3160143e31e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 7, "correlation_key": "fp|bc7bb0283244e0ecb9fb7912f3423e6547da20dc6ef98a3cb0a5b3160143e31e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n4/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125928, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf3db4b4b70e8308a1766c219e9f987d25cc30cb4fa43b9a75ab565d616c7ae1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|bf3db4b4b70e8308a1766c219e9f987d25cc30cb4fa43b9a75ab565d616c7ae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n4/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125927, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15959a59ba9b616a6944a71d73b826c93e13eb03f59716d05ba4cac8ad2b8680", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 7, "correlation_key": "fp|15959a59ba9b616a6944a71d73b826c93e13eb03f59716d05ba4cac8ad2b8680"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n3/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125926, "scanner": "repobility-ai-code-hygiene", "fingerprint": "174309bb2b74cf7ba4149368693088e913d181428c4a634e26db3c8352063ec8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|174309bb2b74cf7ba4149368693088e913d181428c4a634e26db3c8352063ec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n3/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125925, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4f61c81156e085f1ca1eb4a1d97163ee73bac7bf0f09375753f577832d05273", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 7, "correlation_key": "fp|f4f61c81156e085f1ca1eb4a1d97163ee73bac7bf0f09375753f577832d05273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n2/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125924, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2440ffbeb0bc15323d490711b72e227ef97c95928b07904305575827563c1363", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|2440ffbeb0bc15323d490711b72e227ef97c95928b07904305575827563c1363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n2/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125923, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6568f4e977776d8b6812140195e3cfe5c6f4cd807260c81c4157ba8b8bb40e6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 7, "correlation_key": "fp|6568f4e977776d8b6812140195e3cfe5c6f4cd807260c81c4157ba8b8bb40e6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/vocabulary/jlpt-n1/page.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125922, "scanner": "repobility-ai-code-hygiene", "fingerprint": "461d90c2a5eab1419d603186b3fa01bd4ebdf52d1cd6a217dc673cd669d833ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/hiragana-practice/page.tsx", "duplicate_line": 3, "correlation_key": "fp|461d90c2a5eab1419d603186b3fa01bd4ebdf52d1cd6a217dc673cd669d833ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/katakana-practice/page.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "557c6ba3434d9cbe7b80bf7d14278498e56c259e6cb700511ea63c85cd5e552e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kana/page.tsx", "duplicate_line": 7, "correlation_key": "fp|557c6ba3434d9cbe7b80bf7d14278498e56c259e6cb700511ea63c85cd5e552e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji/page.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28c395ef5f2264b55ffc6b6c6a67771a0e4190d1eea827837eeb322689004e92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|28c395ef5f2264b55ffc6b6c6a67771a0e4190d1eea827837eeb322689004e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji/jlpt-n5/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b358e1df175555919f1ad56ce77e6c5c6f98889f4bd3fb3112fbdb5a35ebd16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|5b358e1df175555919f1ad56ce77e6c5c6f98889f4bd3fb3112fbdb5a35ebd16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji/jlpt-n4/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125918, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b784d37aae3470d93869023d8e956a37cba233571ec95237eb9b09491b81a5c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|b784d37aae3470d93869023d8e956a37cba233571ec95237eb9b09491b81a5c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji/jlpt-n3/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125917, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0df504eddf7b0ec3426e2c61be834797dc543b4d1d9e4c6f96fe836e19b44b11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kanji/jlpt-n1/page.tsx", "duplicate_line": 4, "correlation_key": "fp|0df504eddf7b0ec3426e2c61be834797dc543b4d1d9e4c6f96fe836e19b44b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji/jlpt-n2/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125916, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5fd1f545ceca700a699bb31e816ab946b56d4edacd8f526ed6ece589ad67fe1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/hiragana-practice/page.tsx", "duplicate_line": 3, "correlation_key": "fp|c5fd1f545ceca700a699bb31e816ab946b56d4edacd8f526ed6ece589ad67fe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kanji-practice/page.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125915, "scanner": "repobility-ai-code-hygiene", "fingerprint": "549816a1bc710ca4957341a7e41f83e3907671c571c16d665ab350826bd96949", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/kana/learn-hiragana/page.tsx", "duplicate_line": 25, "correlation_key": "fp|549816a1bc710ca4957341a7e41f83e3907671c571c16d665ab350826bd96949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/kana/learn-katakana/page.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125914, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f1dd6c531f0ed676aa4ccf29044c23cd0ba53c4dfb51d9e7b1f34db4fd4ae0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/hiragana-practice/page.tsx", "duplicate_line": 6, "correlation_key": "fp|7f1dd6c531f0ed676aa4ccf29044c23cd0ba53c4dfb51d9e7b1f34db4fd4ae0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/jlpt/n5/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125913, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e3c0841d366759faca08a67f5a152802b8b748857205ab2f7c0223e06e8fef3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/jlpt/n3/page.tsx", "duplicate_line": 1, "correlation_key": "fp|0e3c0841d366759faca08a67f5a152802b8b748857205ab2f7c0223e06e8fef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/jlpt/n5/page.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125912, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ecc0a41390bc6f695d594769261a152b75421560818c2502007e9f163f956e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/hiragana-practice/page.tsx", "duplicate_line": 6, "correlation_key": "fp|6ecc0a41390bc6f695d594769261a152b75421560818c2502007e9f163f956e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/jlpt/n4/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125911, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11837228ee1b693a6fa67eaa5042fbd9177ddeb9b151ae7c4a57a71d23a42b26", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/jlpt/n3/page.tsx", "duplicate_line": 1, "correlation_key": "fp|11837228ee1b693a6fa67eaa5042fbd9177ddeb9b151ae7c4a57a71d23a42b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/jlpt/n4/page.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125910, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b8add726d47fd417450189178d411f68f71aa07ef458d22ca430a14f9e9c1f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/[locale]/(main)/hiragana-practice/page.tsx", "duplicate_line": 6, "correlation_key": "fp|0b8add726d47fd417450189178d411f68f71aa07ef458d22ca430a14f9e9c1f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/(main)/jlpt/n3/page.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 125909, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 125907, "scanner": "repobility-threat-engine", "fingerprint": "b45349ff4aae3e7a314021b68debaa4b6f9817b0ea588c081fa143ba93261f0b", "category": "security", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "evidence": {"match": "window.open(url, '_blank', 'noopener')", "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|security|token|83|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/ui-composite/layout/BottomBar.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 125906, "scanner": "repobility-threat-engine", "fingerprint": "f16765edcc71f7384bb5709dd6dc354202c89f6cad44c480aecc9216c08a2fa3", "category": "security", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "evidence": {"match": "window.open('https://tally.so/r/2E4rB9', '_blank', 'noopener')", "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|security|token|174|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/ui-composite/Game/GameBottomBar.tsx"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 125903, "scanner": "repobility-threat-engine", "fingerprint": "cc66fbf0b996f93274bc1dd36bd6408120668736ca02996cbb0a210cff67dae4", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|44|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/hooks/game/useGoalTimers.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 125902, "scanner": "repobility-threat-engine", "fingerprint": "db9ed8ab693a39469bf31dea5877806a8b223cfd284ec61ae34b96f1e85f21bb", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|128|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Translator/store/useTranslatorStore.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 125901, "scanner": "repobility-threat-engine", "fingerprint": "1861adc153aca8852c412cbd20a8a436fc5bbf11e41fba2872d3a68f0b019e64", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|146|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Preferences/store/useGoalTimersStore.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 125897, "scanner": "repobility-threat-engine", "fingerprint": "f6847864223d6488ca62d23154d677da7d0da9381fd96bf4ead1701c2a8a55e1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6847864223d6488ca62d23154d677da7d0da9381fd96bf4ead1701c2a8a55e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Experiments/components/KanaSearch.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 125896, "scanner": "repobility-threat-engine", "fingerprint": "e5a90104872c99ade3304abdf39e69ce5a82f6e1926d3ca64cf276b9d16a4471", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5a90104872c99ade3304abdf39e69ce5a82f6e1926d3ca64cf276b9d16a4471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Experiments/components/FlashRush.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 125895, "scanner": "repobility-threat-engine", "fingerprint": "8f09582685045db18ebe7b9b48bd6a1755fc59aaf6412df60ea7125278d09a81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f09582685045db18ebe7b9b48bd6a1755fc59aaf6412df60ea7125278d09a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Achievements/hooks/useAchievementPrompts.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 125893, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 125889, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125888, "scanner": "repobility-threat-engine", "fingerprint": "51b1c94aa8ff3ce0a287fa5bf1a44bcaf57a88e8f61651f8d9c40643e487c0ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51b1c94aa8ff3ce0a287fa5bf1a44bcaf57a88e8f61651f8d9c40643e487c0ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/AnkiConverter/hooks/useConversionWorker.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125887, "scanner": "repobility-threat-engine", "fingerprint": "03358bb3e6b861c86bd7a5363637465982eb6b14d56c9357f2472c663c9e785e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03358bb3e6b861c86bd7a5363637465982eb6b14d56c9357f2472c663c9e785e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Achievements/components/progress/useAchievementProgress.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125886, "scanner": "repobility-threat-engine", "fingerprint": "cfba1f9b76b3aaebc06d7ba3188f3f7e4e70ff6de2dd4984875b77c055b026f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfba1f9b76b3aaebc06d7ba3188f3f7e4e70ff6de2dd4984875b77c055b026f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/analyze-text/route.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 125885, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 125881, "scanner": "repobility-threat-engine", "fingerprint": "d8964d329792103608480cfc9c4ebb3dac5ecc10d3866bbd8caab3508a370874", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d8964d329792103608480cfc9c4ebb3dac5ecc10d3866bbd8caab3508a370874", "aggregated_count": 12}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 125880, "scanner": "repobility-threat-engine", "fingerprint": "c0c89551ab32517cf1d6171d7e8554edbacd1fb5d8958cc734abc4f48a241b47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0c89551ab32517cf1d6171d7e8554edbacd1fb5d8958cc734abc4f48a241b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/resources/page.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 125879, "scanner": "repobility-threat-engine", "fingerprint": "bb4ccf9b8cf94ec1eb0d2a3e2622cf0a2a5a89314c59689aa2196a145b48d748", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb4ccf9b8cf94ec1eb0d2a3e2622cf0a2a5a89314c59689aa2196a145b48d748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/resources/[category]/page.tsx"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 125878, "scanner": "repobility-threat-engine", "fingerprint": "41aaef70afed7e58f312fe69fcdfafc7432b4d359d8a01a0cf9bcd7ed7a45917", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41aaef70afed7e58f312fe69fcdfafc7432b4d359d8a01a0cf9bcd7ed7a45917"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/resources/[category]/[subcategory]/page.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 125877, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125876, "scanner": "repobility-threat-engine", "fingerprint": "7b2dcba7933461434718e017fd8db53d2d243efce3333dfebe1d68f4649340e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b2dcba7933461434718e017fd8db53d2d243efce3333dfebe1d68f4649340e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/ui-composite/Modals/NightlyBanner.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125875, "scanner": "repobility-threat-engine", "fingerprint": "6b0eca0750f587bae5bd596e25bd7b61c754042f77cbe3c0b22078edaa426ddf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b0eca0750f587bae5bd596e25bd7b61c754042f77cbe3c0b22078edaa426ddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Kanji/components/SetDictionary.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125874, "scanner": "repobility-threat-engine", "fingerprint": "dc9135c3667ec83fb1cf5588a6424766b2f13e60d172b90b5321b263b780774f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc9135c3667ec83fb1cf5588a6424766b2f13e60d172b90b5321b263b780774f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/credits/page.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 125873, "scanner": "repobility-threat-engine", "fingerprint": "e24948ba98df394cceed216be35232c13416d83338c442adc5f8c4e38d4085f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e24948ba98df394cceed216be35232c13416d83338c442adc5f8c4e38d4085f1", "aggregated_count": 28}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125872, "scanner": "repobility-threat-engine", "fingerprint": "80e862ee66dfd564f947674e1b90fd1954234da41b4de42c13ed33840b429205", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80e862ee66dfd564f947674e1b90fd1954234da41b4de42c13ed33840b429205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Conjugator/components/FAQ.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125871, "scanner": "repobility-threat-engine", "fingerprint": "d695b6bf640bbbe816d2d36fc8230858c21def83100fb6f346aff1be4f8f347d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d695b6bf640bbbe816d2d36fc8230858c21def83100fb6f346aff1be4f8f347d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Academy/components/index.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125870, "scanner": "repobility-threat-engine", "fingerprint": "b0d8be3c3903f47b9d5499139aac99be60b416c45fba60b82fd7232bffb1df1c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0d8be3c3903f47b9d5499139aac99be60b416c45fba60b82fd7232bffb1df1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/[locale]/academy/[slug]/page.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "properties": {"repobilityId": 125869, "scanner": "repobility-threat-engine", "fingerprint": "c6207f3727d032b12d19139e50d5946e3c0d2675d0165da2517bafec19469096", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 50 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c6207f3727d032b12d19139e50d5946e3c0d2675d0165da2517bafec19469096", "aggregated_count": 50}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125868, "scanner": "repobility-threat-engine", "fingerprint": "1c11ff047c3639b55a10c141ea4306f40eb1a1db03682e5a30b831bbe1afcb26", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c11ff047c3639b55a10c141ea4306f40eb1a1db03682e5a30b831bbe1afcb26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/analyze-text/route.ts"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125867, "scanner": "repobility-threat-engine", "fingerprint": "a606e60188f87d79a9819a1bf71adfd5388ed3e61e8c3d63264156f6003718ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a606e60188f87d79a9819a1bf71adfd5388ed3e61e8c3d63264156f6003718ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ClientLayout.tsx"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125866, "scanner": "repobility-threat-engine", "fingerprint": "daf9f8552a677cad0b5dd617f8795bde2996c5da2242d16e6f73b81dae3f3a6a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|daf9f8552a677cad0b5dd617f8795bde2996c5da2242d16e6f73b81dae3f3a6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/create-release.cjs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125996, "scanner": "repobility-supply-chain", "fingerprint": "3b8760d872129752bad6fa8042a23e6d1e48c1dd726a07c2790d0a6f2d7c9ee7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b8760d872129752bad6fa8042a23e6d1e48c1dd726a07c2790d0a6f2d7c9ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125995, "scanner": "repobility-supply-chain", "fingerprint": "a79238729194858e528d315fb39fbf1d1dbf98385df4a57cb299fc26956948c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a79238729194858e528d315fb39fbf1d1dbf98385df4a57cb299fc26956948c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125994, "scanner": "repobility-supply-chain", "fingerprint": "4f5d945deffc4857c6239aa4b74c876bc273cf8a701166795dea1a0915f62da5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f5d945deffc4857c6239aa4b74c876bc273cf8a701166795dea1a0915f62da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125993, "scanner": "repobility-supply-chain", "fingerprint": "1e18d9ceb71758c5c1d4961451e547411f371abd7c021e948861f1d023cafdfc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e18d9ceb71758c5c1d4961451e547411f371abd7c021e948861f1d023cafdfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125992, "scanner": "repobility-supply-chain", "fingerprint": "d65817d1e22f101e5faaef672bc05c1e1293ca700871dab32e9710003095ca24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d65817d1e22f101e5faaef672bc05c1e1293ca700871dab32e9710003095ca24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125991, "scanner": "repobility-supply-chain", "fingerprint": "db58724933b9a96a1179b6430998effa4188fbfdb5739c290b05cbc24d5a0098", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db58724933b9a96a1179b6430998effa4188fbfdb5739c290b05cbc24d5a0098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125990, "scanner": "repobility-supply-chain", "fingerprint": "7d6fd60b326cc68f7fde70df75b25f9c15f688fdc380ff87d776067ba01a0b71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d6fd60b326cc68f7fde70df75b25f9c15f688fdc380ff87d776067ba01a0b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125989, "scanner": "repobility-supply-chain", "fingerprint": "973a1619e70f798175f47ba5634b8c3fbd845fe6cd693ae6e5c246b3a7a2e77d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|973a1619e70f798175f47ba5634b8c3fbd845fe6cd693ae6e5c246b3a7a2e77d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-community-issue.yml"}, "region": {"startLine": 1283}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125988, "scanner": "repobility-supply-chain", "fingerprint": "73a3d0b246962d810e5999d9a8ab49f49da5480abc058eaceb15ce451c0fa2db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73a3d0b246962d810e5999d9a8ab49f49da5480abc058eaceb15ce451c0fa2db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-community-issue.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125987, "scanner": "repobility-supply-chain", "fingerprint": "c800724baaff1dfb032e97fb8289c90ee634c312dd3058522a9df42eba481cde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c800724baaff1dfb032e97fb8289c90ee634c312dd3058522a9df42eba481cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-community-issue.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125986, "scanner": "repobility-supply-chain", "fingerprint": "76f31c3ffa485a12d8f37d2daf5fc65e5db910eaac5189d7a6ee8f6ef58d1ed1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76f31c3ffa485a12d8f37d2daf5fc65e5db910eaac5189d7a6ee8f6ef58d1ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-community-issue.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125985, "scanner": "repobility-supply-chain", "fingerprint": "1bb2315e668946a0fbf75cb7d94a36ce0c6d22b51b2177224ef7f6a275a8774e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bb2315e668946a0fbf75cb7d94a36ce0c6d22b51b2177224ef7f6a275a8774e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-reset-community-backlog.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125984, "scanner": "repobility-supply-chain", "fingerprint": "5bfb7848483bcf823f33be53b28087351cf9f1e13c198291cd5b1b1a497ee5bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5bfb7848483bcf823f33be53b28087351cf9f1e13c198291cd5b1b1a497ee5bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-reset-community-backlog.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125983, "scanner": "repobility-supply-chain", "fingerprint": "adb8a5e04e6910455ae8ba6974863918fad6e3b7b43379d9503eadbf1c46d40b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adb8a5e04e6910455ae8ba6974863918fad6e3b7b43379d9503eadbf1c46d40b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-closed-community-backlog.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125982, "scanner": "repobility-supply-chain", "fingerprint": "9492ad14f1d2c9005944b84a25525abf985a445cb7fc33767f4600e5d45daec5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9492ad14f1d2c9005944b84a25525abf985a445cb7fc33767f4600e5d45daec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-closed-community-backlog.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125981, "scanner": "repobility-supply-chain", "fingerprint": "62b7b62234b0651ebf5d80ba67a966e32ab86e1c9d38cfa08aacaa718dc9fe55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62b7b62234b0651ebf5d80ba67a966e32ab86e1c9d38cfa08aacaa718dc9fe55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backfill-community-backlog.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125980, "scanner": "repobility-supply-chain", "fingerprint": "dcb61f1553c3224d07bf6ad21e3549c6d6de6a6c67f73de98dc9b3f1568bfeaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcb61f1553c3224d07bf6ad21e3549c6d6de6a6c67f73de98dc9b3f1568bfeaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backfill-community-backlog.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125979, "scanner": "repobility-supply-chain", "fingerprint": "d3ea0f53bd2acb187b21511e74e186499d08a23e39edbac930cae627babd08fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3ea0f53bd2acb187b21511e74e186499d08a23e39edbac930cae627babd08fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backfill-pr-authors.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125978, "scanner": "repobility-supply-chain", "fingerprint": "8330b5f22055cf3d0fd4dfde74dfb6ad8ca982914ca36ef2b4c3ed4e8066d91d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8330b5f22055cf3d0fd4dfde74dfb6ad8ca982914ca36ef2b4c3ed4e8066d91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check-comment.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125977, "scanner": "repobility-supply-chain", "fingerprint": "ee4cbd5fafd0f0fc7d6c112b49131ca22e6759b1f14ea9df6e41f6fa6245a085", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee4cbd5fafd0f0fc7d6c112b49131ca22e6759b1f14ea9df6e41f6fa6245a085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-metrics.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125976, "scanner": "repobility-supply-chain", "fingerprint": "2e3b9eefdf6146cd753533c2a4976bb9fca7cc69f73171db5d721db5e4c1c747", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e3b9eefdf6146cd753533c2a4976bb9fca7cc69f73171db5d721db5e4c1c747"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-metrics.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125975, "scanner": "repobility-supply-chain", "fingerprint": "b0eff03e79af8c77fa44aeab86936c1110d7d610252f34ece98c491791dc7ec0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0eff03e79af8c77fa44aeab86936c1110d7d610252f34ece98c491791dc7ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-metrics.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125974, "scanner": "repobility-supply-chain", "fingerprint": "5bf3c8e72e33edc1493ef46d743538cb903948621e185eda928fd737f1839dc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5bf3c8e72e33edc1493ef46d743538cb903948621e185eda928fd737f1839dc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-community-review.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125973, "scanner": "repobility-supply-chain", "fingerprint": "a01477b81af26e64345f977b4feb79df72c4eb0e506d64e75b17b14d1fe621b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a01477b81af26e64345f977b4feb79df72c4eb0e506d64e75b17b14d1fe621b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-community-review.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125972, "scanner": "repobility-supply-chain", "fingerprint": "4bfcab9e9c63b9838ad5e0c27778bfb28771ed490998c374010f09bf9d501913", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bfcab9e9c63b9838ad5e0c27778bfb28771ed490998c374010f09bf9d501913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-community-review.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 125971, "scanner": "repobility-supply-chain", "fingerprint": "c55fdcaa195586b7eb32ff1b61f4e3830d4e7b7a0d1fb2aeb001f2edbbe0e622", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c55fdcaa195586b7eb32ff1b61f4e3830d4e7b7a0d1fb2aeb001f2edbbe0e622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 125970, "scanner": "repobility-supply-chain", "fingerprint": "0630d3d4cef0e72fb61b97098d75cc9f06463c2472692a333dbca6148adf0319", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0630d3d4cef0e72fb61b97098d75cc9f06463c2472692a333dbca6148adf0319"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 125969, "scanner": "repobility-supply-chain", "fingerprint": "1b4196f5102b9f9999316d0f1c37d340a70f9a92b616fc50474102568f599040", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b4196f5102b9f9999316d0f1c37d340a70f9a92b616fc50474102568f599040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 125968, "scanner": "repobility-supply-chain", "fingerprint": "03fcf41d340ad7283bc058977f4dfc70bb07ae1d71c4f7643bb2106f333f1010", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03fcf41d340ad7283bc058977f4dfc70bb07ae1d71c4f7643bb2106f333f1010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 125942, "scanner": "repobility-docker", "fingerprint": "12d5daf7d03769ff859b38bd49e4cd5ad1a2070666d650f4f4bc16838f2d7f37", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|12d5daf7d03769ff859b38bd49e4cd5ad1a2070666d650f4f4bc16838f2d7f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 125940, "scanner": "repobility-docker", "fingerprint": "27e7f836d193341b568f10d1d2275f65a92e1c5e1ca7e9427cbe7cc38d1474f5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|27e7f836d193341b568f10d1d2275f65a92e1c5e1ca7e9427cbe7cc38d1474f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 125908, "scanner": "repobility-threat-engine", "fingerprint": "af51e409899974ae19c0f650ed7d36e098b331c65197f1a7b5be5221dfde783c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (url) => `\n  <sitemap>\n    <loc>${url}</loc>\n    <lastmod>${new Date().toISOString()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af51e409899974ae19c0f650ed7d36e098b331c65197f1a7b5be5221dfde783c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/sitemap-utils.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 125905, "scanner": "repobility-threat-engine", "fingerprint": "9a1c894b7d9faad904e9758aad8270294251a408c9ea56e74a1e80e5d5956dcc", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(projectRoot, 'core/i18n/request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|15|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/i18n/validate-config.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 125904, "scanner": "repobility-threat-engine", "fingerprint": "b1443966a239838666f7ec5f76bae63fc27d86e7c305e8ebe8a7100067f405aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1443966a239838666f7ec5f76bae63fc27d86e7c305e8ebe8a7100067f405aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/i18n/validate-config.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125892, "scanner": "repobility-threat-engine", "fingerprint": "0bc719a33aa19801562eaf579140db8724a3ad86273ea456c4bfd60f3a9e5104", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0bc719a33aa19801562eaf579140db8724a3ad86273ea456c4bfd60f3a9e5104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/layout.tsx"}, "region": {"startLine": 185}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125891, "scanner": "repobility-threat-engine", "fingerprint": "7acbd3cd39f7b30d1c49540efe685371b024ec671a649b55df9c5f06523c31b7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7acbd3cd39f7b30d1c49540efe685371b024ec671a649b55df9c5f06523c31b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/trivia/route.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125890, "scanner": "repobility-threat-engine", "fingerprint": "0f96f9de73c9dd3cc79ee3f0fb10fbc8396eec1a327940f92412f207462d6279", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f96f9de73c9dd3cc79ee3f0fb10fbc8396eec1a327940f92412f207462d6279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/indexnow/route.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125884, "scanner": "repobility-threat-engine", "fingerprint": "b241322fea937dc70973fa907abcfcacfeafa5ef9f16025c61c3fb7984aa92a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ctx.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b241322fea937dc70973fa907abcfcacfeafa5ef9f16025c61c3fb7984aa92a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Preferences/components/renderers/ClickEffectRenderer.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125883, "scanner": "repobility-threat-engine", "fingerprint": "173687439cae2382023acd98af14dcb6b3725887320fafb0869ef233c8c0638d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newSet.delete(index);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|173687439cae2382023acd98af14dcb6b3725887320fafb0869ef233c8c0638d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "features/Conjugator/components/FAQ.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125882, "scanner": "repobility-threat-engine", "fingerprint": "78a777b6d41e53d2329540b3082b69418f0edbe3da9f66b3b0bbd2e948c9d7fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "analysisCache.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78a777b6d41e53d2329540b3082b69418f0edbe3da9f66b3b0bbd2e948c9d7fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/api/analyze-text/route.ts"}, "region": {"startLine": 55}}}]}]}]}