{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED099] Hardcoded Secret (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC048", "name": "[SEC048] AWS access key (any prefix) (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC048] AWS access key (any prefix) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Rotate the key in IAM and move to AWS Secrets Manager or environment variables loaded at runtime."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC010] Cloud Provider Token (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED039] Rust Todo Macro (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 224 more): Same pattern found in 224 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 224 more): Same pattern found in 224 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 157 more): Same pattern found in 157 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 157 more): Same pattern found in 157 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 133 more): Same pattern found in 133 a", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 133 more): Same pattern found in 133 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `app/assets/windows/arm64/dxcompiler.dll` committed in source repo: `app/assets/windows/arm64/dxc", "shortDescription": {"text": "[MINED134] Binary file `app/assets/windows/arm64/dxcompiler.dll` committed in source repo: `app/assets/windows/arm64/dxcompiler.dll` is a .dll binary (22,581,808 bytes) committed to a repo that otherwise has 3502 source files. Trojan binari"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `archlinux:base-devel` not pinned by digest: `FROM archlinux:base-devel` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `archlinux:base-devel` not pinned by digest: `FROM archlinux:base-devel` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM archlinux:base-devel@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `warpdotdev/oz-for-oss/.github/workflows/update-triage.yml` pinned to mutable ref `@main`: `uses: warp", "shortDescription": {"text": "[MINED115] Action `warpdotdev/oz-for-oss/.github/workflows/update-triage.yml` pinned to mutable ref `@main`: `uses: warpdotdev/oz-for-oss/.github/workflows/update-triage.yml@main` resolves at workflow-run time. Tags and branches can be re-p"}, "fullDescription": {"text": "Replace with: `uses: warpdotdev/oz-for-oss/.github/workflows/update-triage.yml@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `se", "shortDescription": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError "}, "fullDescription": {"text": "Initialize `self.send_response = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.REPO_SYNC_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pul", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.REPO_SYNC_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_SYNC_APP_PRIVATE_KEY }` lets a PR from any fo"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. T", "shortDescription": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import html` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC051", "name": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stri", "shortDescription": {"text": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stripe-access-token (MIT)."}, "fullDescription": {"text": "Roll the key in Stripe Dashboard immediately. If a live key was committed, audit Stripe events for unauthorized charges."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC049", "name": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT).", "shortDescription": {"text": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT)."}, "fullDescription": {"text": "Restrict the key in Cloud Console (HTTP referrers / IP whitelist) and rotate. Move to Secret Manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/878"}, "properties": {"repository": "warpdotdev/warp", "repoUrl": "https://github.com/warpdotdev/warp", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 80769, "scanner": "repobility-ast-engine", "fingerprint": "a4982ef87f44d068ccdb05868784bcbe1349fce12df0cf7b1fc6355a0f1708e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4982ef87f44d068ccdb05868784bcbe1349fce12df0cf7b1fc6355a0f1708e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/scripts/run_eval.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 80768, "scanner": "repobility-ast-engine", "fingerprint": "536362396a9c9dcee91cad33daea0680d042eb8057e10c315632f3d2fb6f91ef", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|536362396a9c9dcee91cad33daea0680d042eb8057e10c315632f3d2fb6f91ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/scripts/package_skill.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 80743, "scanner": "repobility-journey-contract", "fingerprint": "b00afc4153f52bc4ea367bbbf1dab79e523b6e6a94920b539ce0d772b285cf6a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/feedback", "correlation_key": "fp|b00afc4153f52bc4ea367bbbf1dab79e523b6e6a94920b539ce0d772b285cf6a", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/viewer.html"}, "region": {"startLine": 1044}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 80742, "scanner": "repobility-journey-contract", "fingerprint": "4b66b437b359410fb5052d721f3cd091e76dc1a1b387d6dd6cbd171dab142110", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/feedback", "correlation_key": "fp|4b66b437b359410fb5052d721f3cd091e76dc1a1b387d6dd6cbd171dab142110", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/viewer.html"}, "region": {"startLine": 1012}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 80741, "scanner": "repobility-journey-contract", "fingerprint": "530ca8a7824a69ce7251ffddb7b0fc3a234c78d76e95766444014f4305629b4a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/feedback", "correlation_key": "fp|530ca8a7824a69ce7251ffddb7b0fc3a234c78d76e95766444014f4305629b4a", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/viewer.html"}, "region": {"startLine": 666}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 80739, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 1, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 80738, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 80737, "scanner": "repobility-docker", "fingerprint": "c0d04f728d4cd46a00b70dff83d41c4ad77423341320151adb9f21206006c037", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:sid", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c0d04f728d4cd46a00b70dff83d41c4ad77423341320151adb9f21206006c037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 80729, "scanner": "repobility-docker", "fingerprint": "3681046e4ff87e71fa60d3ac5817fc27b7627b8fa0d94231e812650d2ff5a39b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3681046e4ff87e71fa60d3ac5817fc27b7627b8fa0d94231e812650d2ff5a39b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/agent-dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 80725, "scanner": "repobility-docker", "fingerprint": "e750d887fdf9eeb82f46b96a737e8beeea14fb6e94d6492b0a07c714f1bc2d65", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e750d887fdf9eeb82f46b96a737e8beeea14fb6e94d6492b0a07c714f1bc2d65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tests/ssh/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 80722, "scanner": "repobility-docker", "fingerprint": "46eb7d218cfef97c9bed0eb20755b7604c6c7f58ca709a00d16aaf57da91204a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ubuntu:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|46eb7d218cfef97c9bed0eb20755b7604c6c7f58ca709a00d16aaf57da91204a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tests/ssh/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 80720, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "crates/persistence/migrations/2023-07-19-214343_snapshot-notebook-panes/up.sql", "size_mb": 0.0}, {"path": "crates/persistence/migrations/2023-07-19-214343_snapshot-notebook-panes/down.sql", "size_mb": 0.0}, {"path": "crates/persistence/migrations/2023-07-13-191246_add_prompt_snapshot_field/up.sql", "size_mb": 0.0}, {"path": "crates/persistence/migrations/2023-07-13-191246_add_prompt_snapshot_field/down.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 80719, "scanner": "repobility-agent-runtime", "fingerprint": "1fc1e83261141b7e6be3f25b74009aa4115e423c7ad26e3f29e2fef72029cdb4", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1fc1e83261141b7e6be3f25b74009aa4115e423c7ad26e3f29e2fef72029cdb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "specs/REMOTE-1404/TECH.md"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 80718, "scanner": "repobility-agent-runtime", "fingerprint": "f6514714d1d644f27a7dfa5c6903c8a545f5b09773e6dd75d8a7d71aaa2187d1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f6514714d1d644f27a7dfa5c6903c8a545f5b09773e6dd75d8a7d71aaa2187d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/oz-platform/references/third-party-clis.md"}, "region": {"startLine": 183}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 80717, "scanner": "repobility-agent-runtime", "fingerprint": "b4971d07be6066e58a068c2916e638ec75776973dc543032a2e1dba89f7e24b3", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b4971d07be6066e58a068c2916e638ec75776973dc543032a2e1dba89f7e24b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/oz-platform/references/third-party-clis.md"}, "region": {"startLine": 97}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 80716, "scanner": "repobility-agent-runtime", "fingerprint": "145eef4ba65b9df4b012b126a5f759134a2667c88833af2dcc8b23a0d4757e1e", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|145eef4ba65b9df4b012b126a5f759134a2667c88833af2dcc8b23a0d4757e1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/mcp_skills/figma/figma-use/references/plugin-api-standalone.d.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 80685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae007ecd1c18302863ea94d71672ce02daef95bad4ee881436f278feac2b715b", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|ae007ecd1c18302863ea94d71672ce02daef95bad4ee881436f278feac2b715b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/repo_metadata/src/file_tree_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 80684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dda646ca9e8dd73bae588dafa742f17aab6c1d2724c0c8b7f1e227f899bf5458", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|dda646ca9e8dd73bae588dafa742f17aab6c1d2724c0c8b7f1e227f899bf5458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/code_review/git_status_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80679, "scanner": "repobility-threat-engine", "fingerprint": "9482bdcbbbb12d1643d332ab6ff6a5cef2274243d40822b5c82bdce81e795766", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|crates/command/src/unix.rs|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/command/src/unix.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 80643, "scanner": "repobility-threat-engine", "fingerprint": "fe80853e5980433609726dccd388f24cda61fb96c7cb755e85428618aa0e6a1e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe80853e5980433609726dccd388f24cda61fb96c7cb755e85428618aa0e6a1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/server/server_api/presigned_upload_tests.rs"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 80642, "scanner": "repobility-threat-engine", "fingerprint": "6230f63d265ed5a43fe217d5c423afb437b7307f9fea7f288d80ff05a5208a99", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"http://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6230f63d265ed5a43fe217d5c423afb437b7307f9fea7f288d80ff05a5208a99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/notebooks/notebook/details_bar_tests.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 80641, "scanner": "repobility-threat-engine", "fingerprint": "c009a308b6fe2fcf5abaeb0e32d598624ac6feb9d8d12e4f93efdd20d6ab6b26", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c009a308b6fe2fcf5abaeb0e32d598624ac6feb9d8d12e4f93efdd20d6ab6b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/driver/harness/mod_tests.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 80740, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 80735, "scanner": "repobility-docker", "fingerprint": "810aad978ed700fc3053ed336c9e41fee5d3341d15966075d6c82560923fa6e7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|810aad978ed700fc3053ed336c9e41fee5d3341d15966075d6c82560923fa6e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 80734, "scanner": "repobility-docker", "fingerprint": "5fa689e9af00529db8bb33d305979f7e9ee086735c27a46ba303ff3025c97f03", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5fa689e9af00529db8bb33d305979f7e9ee086735c27a46ba303ff3025c97f03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 80733, "scanner": "repobility-docker", "fingerprint": "1903419eca14d9d4072ac115da67aa4d4efa081db1386fa5fe882a78cde564ca", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1903419eca14d9d4072ac115da67aa4d4efa081db1386fa5fe882a78cde564ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 80732, "scanner": "repobility-docker", "fingerprint": "fb09d09639253a3b134ffdbf34133611a73348d6031bc665e05c10b00cb5e73d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|fb09d09639253a3b134ffdbf34133611a73348d6031bc665e05c10b00cb5e73d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 80731, "scanner": "repobility-docker", "fingerprint": "379a8576fd4305283000577f4b19dcc4e5a511e9d263a3b62d6e187b55de3e35", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|379a8576fd4305283000577f4b19dcc4e5a511e9d263a3b62d6e187b55de3e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 80730, "scanner": "repobility-docker", "fingerprint": "05e0c10894aea48250942dfb358bfd8eb46c70ba88efa1ee5276ae6cf6e6b848", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|05e0c10894aea48250942dfb358bfd8eb46c70ba88efa1ee5276ae6cf6e6b848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 80726, "scanner": "repobility-docker", "fingerprint": "59b5100559da742fe1244d3d17644d491c6a3a3ae5c75bdebdc292fe49ebdc79", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|59b5100559da742fe1244d3d17644d491c6a3a3ae5c75bdebdc292fe49ebdc79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/agent-dev/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 80724, "scanner": "repobility-docker", "fingerprint": "913e8baf41f6936d2f33b8f2cff5f5cb7e429257df792dfcf0b40616abad1405", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|913e8baf41f6936d2f33b8f2cff5f5cb7e429257df792dfcf0b40616abad1405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tests/ssh/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 80723, "scanner": "repobility-docker", "fingerprint": "16ec5b5d41777753195525910e69b1eb4c89ad50f6e6cb5697fa7848053b3b0b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|16ec5b5d41777753195525910e69b1eb4c89ad50f6e6cb5697fa7848053b3b0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tests/ssh/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 80721, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68d6fd443651e4851fa9a5b31d42420305d88e2a60d0c9569d0aecedc4ba5e19", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/ambient_agents/scheduled.rs", "duplicate_line": 45, "correlation_key": "fp|68d6fd443651e4851fa9a5b31d42420305d88e2a60d0c9569d0aecedc4ba5e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/cloud_environments/mod.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03f432659b3cc5f4ffee7f713cb592b601c843281367ae8869556f02665d064c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/ambient_agents/scheduled.rs", "duplicate_line": 45, "correlation_key": "fp|03f432659b3cc5f4ffee7f713cb592b601c843281367ae8869556f02665d064c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/cloud_agent_config/mod.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0320a956193d1e5ab64887e77cee0e5eaf6eafac616c4290b8f7e090efeeb677", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/suggested_rule_modal.rs", "duplicate_line": 339, "correlation_key": "fp|0320a956193d1e5ab64887e77cee0e5eaf6eafac616c4290b8f7e090efeeb677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/suggestion_chip_view.rs"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a9d49c54361e9f776b57fd5236d1cc5ba548943ce169e70bc68a290cefaada6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/suggested_agent_mode_workflow_modal.rs", "duplicate_line": 97, "correlation_key": "fp|9a9d49c54361e9f776b57fd5236d1cc5ba548943ce169e70bc68a290cefaada6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/suggested_rule_modal.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8ce0a0496870d95eac37efd8659c5e794bd7f50c2b242752f2e0fd6fa85e56e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/read_files.rs", "duplicate_line": 53, "correlation_key": "fp|c8ce0a0496870d95eac37efd8659c5e794bd7f50c2b242752f2e0fd6fa85e56e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/passive_suggestions/legacy.rs"}, "region": {"startLine": 358}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fddeec86c3ed7435cb91b2dc6efc37263e01219216b1df6dff83c23de15ec50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/inline_action/web_fetch.rs", "duplicate_line": 44, "correlation_key": "fp|9fddeec86c3ed7435cb91b2dc6efc37263e01219216b1df6dff83c23de15ec50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/inline_action/web_search.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e11fa45f37a17fa866a9af0ff672bf4b3b43e162013732aba792e962f09abaff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/agent_view/orchestration_pill_bar_tests.rs", "duplicate_line": 19, "correlation_key": "fp|e11fa45f37a17fa866a9af0ff672bf4b3b43e162013732aba792e962f09abaff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/block/view_impl/orchestration_tests.rs"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b497a0cd36bea2953369856b8c92015469eb223a7ac3aabd0ab9d1a18d38e896", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/ask_user_question_tests.rs", "duplicate_line": 68, "correlation_key": "fp|b497a0cd36bea2953369856b8c92015469eb223a7ac3aabd0ab9d1a18d38e896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/upload_artifact_tests.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a9886d2cabef75445449bd8dc338456cecc3fd503a436bf273ea4cc086caba0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/call_mcp_tool.rs", "duplicate_line": 27, "correlation_key": "fp|7a9886d2cabef75445449bd8dc338456cecc3fd503a436bf273ea4cc086caba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/upload_artifact.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a10b3a25da7bde53b3d63b4927a50b09c1f81c3a799eb95d12db1eb385167b68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/start_agent.rs", "duplicate_line": 216, "correlation_key": "fp|a10b3a25da7bde53b3d63b4927a50b09c1f81c3a799eb95d12db1eb385167b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/suggest_prompt.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b0870a0d574e16a16f8d6a2779c0c092f1796fb817665ba4ae88b9d61456d22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 17, "correlation_key": "fp|9b0870a0d574e16a16f8d6a2779c0c092f1796fb817665ba4ae88b9d61456d22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/suggest_prompt.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8c90762b3c16d45a3818de657ae732e320f27b3cef321efe5d20be3eeb7d7fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/create_documents.rs", "duplicate_line": 28, "correlation_key": "fp|d8c90762b3c16d45a3818de657ae732e320f27b3cef321efe5d20be3eeb7d7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/suggest_prompt.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1009f9c95d94cf12500772e5d0d819d7e2023714616b41ce2f5e477ca902250c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 17, "correlation_key": "fp|1009f9c95d94cf12500772e5d0d819d7e2023714616b41ce2f5e477ca902250c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/start_agent.rs"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bf05dcbd7c63aa0af2fe504959000a260e03fa5c4c07e7d1589c162d420c811", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/create_documents.rs", "duplicate_line": 28, "correlation_key": "fp|9bf05dcbd7c63aa0af2fe504959000a260e03fa5c4c07e7d1589c162d420c811"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/start_agent.rs"}, "region": {"startLine": 213}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0cc559c28874d2eca96449350c9e8d13721db22f9bb555ad913f27770b72466", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 17, "correlation_key": "fp|a0cc559c28874d2eca96449350c9e8d13721db22f9bb555ad913f27770b72466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/send_message.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7732c14f46b23e9bfd091b5538f69f8bafbc6af8d97143e33750200fe7958707", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/get_files.rs", "duplicate_line": 38, "correlation_key": "fp|7732c14f46b23e9bfd091b5538f69f8bafbc6af8d97143e33750200fe7958707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/search_codebase.rs"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e95ae588e434c4a1c0b58b397536ba71a921c900c23b8dd62d0145a49f67e678", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 15, "correlation_key": "fp|e95ae588e434c4a1c0b58b397536ba71a921c900c23b8dd62d0145a49f67e678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/read_skill.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "754864280aa416ece5cccf601b3b70f381dd7b2f618f940a0c2547dc9c4ab1d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/call_mcp_tool.rs", "duplicate_line": 22, "correlation_key": "fp|754864280aa416ece5cccf601b3b70f381dd7b2f618f940a0c2547dc9c4ab1d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/read_mcp_resource.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68eacedc32260934207bea698e2befff78b41b64f314c0bec1904adf8adcd6ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/get_files.rs", "duplicate_line": 51, "correlation_key": "fp|68eacedc32260934207bea698e2befff78b41b64f314c0bec1904adf8adcd6ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/read_files.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a03fdaa336ea3ed89c4eae749db3f02d0afc3d0de1c7a435d1d7ab876d75ca4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/file_glob.rs", "duplicate_line": 36, "correlation_key": "fp|8a03fdaa336ea3ed89c4eae749db3f02d0afc3d0de1c7a435d1d7ab876d75ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/read_files.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f3c563cccc8d920e6afaaa6fd1ab816da8f4fe4ad29446602469cfce994488b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 15, "correlation_key": "fp|1f3c563cccc8d920e6afaaa6fd1ab816da8f4fe4ad29446602469cfce994488b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/read_documents.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22c33079a5c69d01cf0f56cf895487e54089983753487f38d4128c1aa6f571c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/get_files.rs", "duplicate_line": 51, "correlation_key": "fp|22c33079a5c69d01cf0f56cf895487e54089983753487f38d4128c1aa6f571c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/grep.rs"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c284c193ab8aee7394625eb26470f81c1317bd2abc5c016dc141b8d19922d1ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/file_glob.rs", "duplicate_line": 36, "correlation_key": "fp|c284c193ab8aee7394625eb26470f81c1317bd2abc5c016dc141b8d19922d1ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/grep.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75f500a9f906b9d216a6511446b5d681bb290e50bd259a372549d47c366bcfe6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/blocklist/action_model/execute/edit_documents.rs", "duplicate_line": 15, "correlation_key": "fp|75f500a9f906b9d216a6511446b5d681bb290e50bd259a372549d47c366bcfe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/blocklist/action_model/execute/fetch_conversation.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e38ee1f2564c65607640f8e83a94ac9475cff3ef433690f38c3719d32d7243d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent_sdk/driver/harness/claude_code.rs", "duplicate_line": 99, "correlation_key": "fp|4e38ee1f2564c65607640f8e83a94ac9475cff3ef433690f38c3719d32d7243d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/driver/harness/mod.rs"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b416bc53b56e619d97d1b9edc95d1ab519532779001492d68f0655aff0da0547", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent_sdk/driver/harness/codex.rs", "duplicate_line": 266, "correlation_key": "fp|b416bc53b56e619d97d1b9edc95d1ab519532779001492d68f0655aff0da0547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/driver/harness/gemini.rs"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89cab12cd4272db29ccfb0f1b22b403e1abaf977d86918e907f49dcc74b031cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent_sdk/driver/harness/claude_code.rs", "duplicate_line": 95, "correlation_key": "fp|89cab12cd4272db29ccfb0f1b22b403e1abaf977d86918e907f49dcc74b031cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/driver/harness/codex.rs"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5475c38a902e5407185b488ba6115d0f84dcf6956441741d826cf6745bf7e8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent_management/notifications/toast_stack.rs", "duplicate_line": 157, "correlation_key": "fp|b5475c38a902e5407185b488ba6115d0f84dcf6956441741d826cf6745bf7e8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_management/notifications/view.rs"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3571bebbbc1c98abffd8342a90a6ddac742cff56410de6083be163382417a905", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent_events/driver_tests.rs", "duplicate_line": 77, "correlation_key": "fp|3571bebbbc1c98abffd8342a90a6ddac742cff56410de6083be163382417a905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_events/message_hydrator_tests.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2aa71feb464a4c0eae64e211b6caa51f42fb5b3ea8f90d7b03c8584f8d83b244", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/ai/agent/task_store_tests.rs", "duplicate_line": 70, "correlation_key": "fp|2aa71feb464a4c0eae64e211b6caa51f42fb5b3ea8f90d7b03c8584f8d83b244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/task_tests.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00934ab3ace10c0db60762a0a7bea58056391710d1022a3b01939d7946df539b", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|00934ab3ace10c0db60762a0a7bea58056391710d1022a3b01939d7946df539b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/repo_metadata/src/file_tree_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42d9fa6f319b240857a97f3d839acd94fe29139b24df37e1102c75a6b013823d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|42d9fa6f319b240857a97f3d839acd94fe29139b24df37e1102c75a6b013823d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/code_review/git_status_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC002", "level": "note", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 80663, "scanner": "repobility-threat-engine", "fingerprint": "62424cfd55f77f6103cd1f69cfd16bddfeccf2871468842f25ac3ec29e5f2b73", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Could not extract value for entropy analysis Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "AKIAIOSFODNN7EXAMPLE", "reason": "Could not extract value for entropy analysis", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "secret|token|1|akiaiosfodnn7example", "duplicate_count": 5, "duplicate_rule_ids": ["SEC002", "SEC010", "SEC048"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["557595f05d76ff81983fd9d6c4b54ba74eb10caa06a0c08fba22c1b7a4e991b7", "62424cfd55f77f6103cd1f69cfd16bddfeccf2871468842f25ac3ec29e5f2b73", "706fcd92cdec3a1aa0676a856cf6749ef69d0dbb2d74c0b4b5266fdf6193d4be", "95e134eca9379bbc9e4a4a8d7ddf2c995a0ac46cc2a0a549c6c54c02ad9b6c1d", "cfdd3c40136a5ce2382e7f2ef2f781634a135b37c59aa7473db6411a06869aed", "d5716d475f8141e3935815f1a0f2997e658e38513fddc1bcdc84c3372f7f7cbd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/server/telemetry/secret_redaction_tests.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=1, if=3, nested_bonus=3."}, "properties": {"repobilityId": 80622, "scanner": "repobility-threat-engine", "fingerprint": "fae3c4b3f43ecc813cd083c3ac86b23e6643c00c143cb93a407f17892ff6eb31", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "for": 1, "continue": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|fae3c4b3f43ecc813cd083c3ac86b23e6643c00c143cb93a407f17892ff6eb31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/fetch_issue_reporters.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, for=1, if=2, nested_bonus=5."}, "properties": {"repobilityId": 80621, "scanner": "repobility-threat-engine", "fingerprint": "ac50382eda01d6ac74e343eba82892ef4af1d4a220d0a464ab9adaf4739db38b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 2, "for": 1, "elif": 1, "else": 2, "nested_bonus": 5}, "complexity": 11, "correlation_key": "fp|ac50382eda01d6ac74e343eba82892ef4af1d4a220d0a464ab9adaf4739db38b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/classify_contributors.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `chunk_lines` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=2, if=2, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 80620, "scanner": "repobility-threat-engine", "fingerprint": "086a5cf682ca8efc479950b0ab5287ba6415d9d9724c6515b3dfd08b50065e0b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "chunk_lines", "breakdown": {"if": 2, "for": 2, "else": 1, "ternary": 1, "nested_bonus": 5}, "complexity": 11, "correlation_key": "fp|086a5cf682ca8efc479950b0ab5287ba6415d9d9724c6515b3dfd08b50065e0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/build_slack_payload.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 80681, "scanner": "repobility-threat-engine", "fingerprint": "84c5cd49605411ba5a159ae1fa60afb10b85c50ba11b140744f2652dc68aa1a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84c5cd49605411ba5a159ae1fa60afb10b85c50ba11b140744f2652dc68aa1a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/lsp/src/servers/typescript_language_server.rs"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 80680, "scanner": "repobility-threat-engine", "fingerprint": "2f15cb53019d747b0901c4637974779f15e1f4274b9ac2de3b4ff13c93b16bd7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f15cb53019d747b0901c4637974779f15e1f4274b9ac2de3b4ff13c93b16bd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/lsp/src/servers/pyright.rs"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80678, "scanner": "repobility-threat-engine", "fingerprint": "821b397096fd7bbc4bc8f7c3b85522fcb36856b5c91a6d0907d6cfa41474e418", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|821b397096fd7bbc4bc8f7c3b85522fcb36856b5c91a6d0907d6cfa41474e418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/command-signatures-v2/js/src/main.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 80676, "scanner": "repobility-threat-engine", "fingerprint": "a18f7640f9f9a09691b5fb23b7ac6807913e19df928e966e6aa9bb54ac05579d", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a18f7640f9f9a09691b5fb23b7ac6807913e19df928e966e6aa9bb54ac05579d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/util/git_tests.rs"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80672, "scanner": "repobility-threat-engine", "fingerprint": "090aaf0b9512c2f21d2a371526263f22493ad5e17b2c300c1de13b9c34bc6c1e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|090aaf0b9512c2f21d2a371526263f22493ad5e17b2c300c1de13b9c34bc6c1e", "aggregated_count": 1}}}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 80671, "scanner": "repobility-threat-engine", "fingerprint": "e3206094eca88aed266859d962ed33931ea17f536b54a17ce60ed3a9f4c52fe7", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3206094eca88aed266859d962ed33931ea17f536b54a17ce60ed3a9f4c52fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/server/telemetry_ext_tests.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 80670, "scanner": "repobility-threat-engine", "fingerprint": "3ea1ba6323dba1ec1cb1c048e1de1e625b24743accdf9199f22bfdc5fe061438", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ea1ba6323dba1ec1cb1c048e1de1e625b24743accdf9199f22bfdc5fe061438"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/server/telemetry/secret_redaction_tests.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC048", "level": "none", "message": {"text": "[SEC048] AWS access key (any prefix) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80668, "scanner": "repobility-threat-engine", "fingerprint": "9c87a8a076fa62802beee27420f2afbe7ef5c31173608ed4462410a018123b25", "category": "secret", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC048", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9c87a8a076fa62802beee27420f2afbe7ef5c31173608ed4462410a018123b25"}}}, {"ruleId": "SEC010", "level": "none", "message": {"text": "[SEC010] Cloud Provider Token (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80666, "scanner": "repobility-threat-engine", "fingerprint": "6bbba82d87fa8432c30a0dd483045a57b1e245e0fe25c012d57efb6d85fac792", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6bbba82d87fa8432c30a0dd483045a57b1e245e0fe25c012d57efb6d85fac792"}}}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80664, "scanner": "repobility-threat-engine", "fingerprint": "3d3cf2fe698902d4dff187f3e4c4afb0b043ae1c1b5487d9b244f00881c7ac3d", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3d3cf2fe698902d4dff187f3e4c4afb0b043ae1c1b5487d9b244f00881c7ac3d"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 80661, "scanner": "repobility-threat-engine", "fingerprint": "db760fc2b51cfcddc0413651d922ab97ec59e5048e72f02b386cc067a4602e27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db760fc2b51cfcddc0413651d922ab97ec59e5048e72f02b386cc067a4602e27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/platform/mac/objc/crash_reporting.m"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 80659, "scanner": "repobility-threat-engine", "fingerprint": "15fb35bb6e8e08fe1c31b25949a6f6795778f51fbe91b5f1c398eaa19c710d51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15fb35bb6e8e08fe1c31b25949a6f6795778f51fbe91b5f1c398eaa19c710d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/keyboard.rs"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED039", "level": "none", "message": {"text": "[MINED039] Rust Todo Macro (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 80658, "scanner": "repobility-threat-engine", "fingerprint": "ebeab63540f157f5a3cf25a946b330894d931c9860ffd02aa86c46c72b1ad57f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ebeab63540f157f5a3cf25a946b330894d931c9860ffd02aa86c46c72b1ad57f", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80653, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80652, "scanner": "repobility-threat-engine", "fingerprint": "dd81ef55f6132c3a1d079c1d647a0ca6c1ad18ed91ef3d3c58f79f7d27b40eac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd81ef55f6132c3a1d079c1d647a0ca6c1ad18ed91ef3d3c58f79f7d27b40eac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/util/links.rs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80651, "scanner": "repobility-threat-engine", "fingerprint": "fb5bdaf6582deb2fb45ae16336278871de95013292b79d82ef186878ed7a658b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb5bdaf6582deb2fb45ae16336278871de95013292b79d82ef186878ed7a658b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/settings_view/custom_inference_modal_tests.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80650, "scanner": "repobility-threat-engine", "fingerprint": "706a3bd61b43b898fcd854710d6a9200090840e87ed8cc455be71f14491dcb18", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|706a3bd61b43b898fcd854710d6a9200090840e87ed8cc455be71f14491dcb18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/integration_testing/agent_mode/util.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 80648, "scanner": "repobility-threat-engine", "fingerprint": "3799f17eeb13df97229c314ed083eddc11aed0f95fd77390e4a302e22e8115c5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3799f17eeb13df97229c314ed083eddc11aed0f95fd77390e4a302e22e8115c5", "aggregated_count": 28}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 80647, "scanner": "repobility-threat-engine", "fingerprint": "9e64cea228e9c0fe6d25d0ecb8121b2f4ec56d218737644f6f6d9c513f7c5108", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e64cea228e9c0fe6d25d0ecb8121b2f4ec56d218737644f6f6d9c513f7c5108"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/app_services/mac.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 80646, "scanner": "repobility-threat-engine", "fingerprint": "b56e1f11e19302da58587f55b8997afc6fb4644e7a287c4ab91bf01a7632c2ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b56e1f11e19302da58587f55b8997afc6fb4644e7a287c4ab91bf01a7632c2ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/antivirus/windows.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 80645, "scanner": "repobility-threat-engine", "fingerprint": "59966faa94dd83142a5b465a24373c3e18f915b85612ec91870e6cab1f760c09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59966faa94dd83142a5b465a24373c3e18f915b85612ec91870e6cab1f760c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/output.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80644, "scanner": "repobility-threat-engine", "fingerprint": "2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 80640, "scanner": "repobility-threat-engine", "fingerprint": "a400cab90d12f1c4fcb5e58a3a8ae768223e77f76f50a6e2c3b52377be4fb7eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a400cab90d12f1c4fcb5e58a3a8ae768223e77f76f50a6e2c3b52377be4fb7eb", "aggregated_count": 64}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 80639, "scanner": "repobility-threat-engine", "fingerprint": "ab4bc006dd5fc88485150c3a3763bc3924919dc7f2746b2c0b75137bb09526d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab4bc006dd5fc88485150c3a3763bc3924919dc7f2746b2c0b75137bb09526d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/util_tests.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 80638, "scanner": "repobility-threat-engine", "fingerprint": "0b54b5f36a575b99bbcaa724a13e32cc8966a343c06ebb67e8b89478f3822790", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b54b5f36a575b99bbcaa724a13e32cc8966a343c06ebb67e8b89478f3822790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/mod_tests.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 80637, "scanner": "repobility-threat-engine", "fingerprint": "b67b10cf3ec12ff4b3c1cdddf913c307e21df64564ad6d5c79459d2fd4b37fb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b67b10cf3ec12ff4b3c1cdddf913c307e21df64564ad6d5c79459d2fd4b37fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/api/convert_to_tests.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 224 more): Same pattern found in 224 additional files. Review if needed."}, "properties": {"repobilityId": 80636, "scanner": "repobility-threat-engine", "fingerprint": "4144b453b6f1b6918e04d502dc121a008a660e668a972a73bb337d3c112c2fdb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 224 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4144b453b6f1b6918e04d502dc121a008a660e668a972a73bb337d3c112c2fdb", "aggregated_count": 224}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 80635, "scanner": "repobility-threat-engine", "fingerprint": "c5f2ad58f4e951548f1f249946f929817d5864b16973dd29409e9cfcbbbdfa9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5f2ad58f4e951548f1f249946f929817d5864b16973dd29409e9cfcbbbdfa9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/util.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 80634, "scanner": "repobility-threat-engine", "fingerprint": "ed5656fece07550f39c6c097246cf2b8254217818ffecab9b31be8b5c01dddc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed5656fece07550f39c6c097246cf2b8254217818ffecab9b31be8b5c01dddc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/api/impl_tests.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 80633, "scanner": "repobility-threat-engine", "fingerprint": "1474e9a35d2184319414e7da0e0da6ebdebbe7c3321af7c81df8650fccdcfad8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1474e9a35d2184319414e7da0e0da6ebdebbe7c3321af7c81df8650fccdcfad8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/api/convert_to_tests.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 157 more): Same pattern found in 157 additional files. Review if needed."}, "properties": {"repobilityId": 80632, "scanner": "repobility-threat-engine", "fingerprint": "1a7262bc4083e5b71f29a2a2945aee350a65feeac2732d78a023b52da82dd588", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 157 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1a7262bc4083e5b71f29a2a2945aee350a65feeac2732d78a023b52da82dd588", "aggregated_count": 157}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 133 more): Same pattern found in 133 additional files. Review if needed."}, "properties": {"repobilityId": 80628, "scanner": "repobility-threat-engine", "fingerprint": "1ec18b0b8d3bbf993d05375fd23283acc41d6b0ec1b529e7adf7fc4e899cfbef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 133 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 133 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ec18b0b8d3bbf993d05375fd23283acc41d6b0ec1b529e7adf7fc4e899cfbef"}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 80624, "scanner": "repobility-threat-engine", "fingerprint": "c91110defdb2b207a0ae00cba0aa14e7543d11916e29a8c5975ffe3316b03635", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c91110defdb2b207a0ae00cba0aa14e7543d11916e29a8c5975ffe3316b03635"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/DockTilePlugin/WarpDockTilePlugin.m"}, "region": {"startLine": 33}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80623, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "chunk_lines", "breakdown": {"if": 2, "for": 2, "else": 1, "ternary": 1, "nested_bonus": 5}, "aggregated": true, "complexity": 11, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 80619, "scanner": "repobility-threat-engine", "fingerprint": "ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/dxcompiler.dll` committed in source repo: `app/assets/windows/arm64/dxcompiler.dll` is a .dll binary (22,581,808 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80811, "scanner": "repobility-supply-chain", "fingerprint": "109cf84ecf02700931ee6fc1e649267fc54b94fa33f51d61d39b0e787b09c771", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|109cf84ecf02700931ee6fc1e649267fc54b94fa33f51d61d39b0e787b09c771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/dxcompiler.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/OpenConsole.exe` committed in source repo: `app/assets/windows/arm64/OpenConsole.exe` is a .exe binary (1,192,960 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80810, "scanner": "repobility-supply-chain", "fingerprint": "6b0560e80dfc4c53bde079ab55d7ec647226d903ef4f6fab100913247ae351e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b0560e80dfc4c53bde079ab55d7ec647226d903ef4f6fab100913247ae351e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/OpenConsole.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/msvcp140.dll` committed in source repo: `app/assets/windows/arm64/msvcp140.dll` is a .dll binary (1,372,192 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80809, "scanner": "repobility-supply-chain", "fingerprint": "a9374edeab3ffeb8942c64cb39add595a270996c9e538cd7f451c3752b5e6e6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9374edeab3ffeb8942c64cb39add595a270996c9e538cd7f451c3752b5e6e6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/msvcp140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/conpty.dll` committed in source repo: `app/assets/windows/arm64/conpty.dll` is a .dll binary (95,232 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80808, "scanner": "repobility-supply-chain", "fingerprint": "e650d566f76d7a88723ff1a2d72d6cc844545ef60e0b2af41f31932145757ff3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e650d566f76d7a88723ff1a2d72d6cc844545ef60e0b2af41f31932145757ff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/conpty.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/vcruntime140_1.dll` committed in source repo: `app/assets/windows/arm64/vcruntime140_1.dll` is a .dll binary (53,280 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80807, "scanner": "repobility-supply-chain", "fingerprint": "e58eb6ac7f5c830ac2ffd77209ab76488cc77fa36ef75464e376ae692122dde8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e58eb6ac7f5c830ac2ffd77209ab76488cc77fa36ef75464e376ae692122dde8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/vcruntime140_1.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/vcruntime140.dll` committed in source repo: `app/assets/windows/arm64/vcruntime140.dll` is a .dll binary (199,200 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80806, "scanner": "repobility-supply-chain", "fingerprint": "02633530f7754db46cfdf7fee23c446ec70a030dae4c064ad26b597636875579", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02633530f7754db46cfdf7fee23c446ec70a030dae4c064ad26b597636875579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/vcruntime140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/arm64/dxil.dll` committed in source repo: `app/assets/windows/arm64/dxil.dll` is a .dll binary (1,792,584 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80805, "scanner": "repobility-supply-chain", "fingerprint": "fe6a178225c6869ce09ed692a20d59516fa52404f55b6b51d482795d5b7c1c01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe6a178225c6869ce09ed692a20d59516fa52404f55b6b51d482795d5b7c1c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/arm64/dxil.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/dxcompiler.dll` committed in source repo: `app/assets/windows/x64/dxcompiler.dll` is a .dll binary (18,091,048 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80804, "scanner": "repobility-supply-chain", "fingerprint": "e73315d4f2eb4fe1f87ab35a934f4a63149609474a36492d288a396cd58e4cb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e73315d4f2eb4fe1f87ab35a934f4a63149609474a36492d288a396cd58e4cb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/dxcompiler.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/OpenConsole.exe` committed in source repo: `app/assets/windows/x64/OpenConsole.exe` is a .exe binary (1,145,344 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80803, "scanner": "repobility-supply-chain", "fingerprint": "2e769dbbf3d5e47347fde94fb6e559915dad5ce20bdee31e5acbe3990f951ca7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e769dbbf3d5e47347fde94fb6e559915dad5ce20bdee31e5acbe3990f951ca7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/OpenConsole.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/msvcp140.dll` committed in source repo: `app/assets/windows/x64/msvcp140.dll` is a .dll binary (557,136 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80802, "scanner": "repobility-supply-chain", "fingerprint": "84a5d211458154b0abf93523f5a8c4b30128565012ea87b6601f3018c505d6ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84a5d211458154b0abf93523f5a8c4b30128565012ea87b6601f3018c505d6ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/msvcp140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/conpty.dll` committed in source repo: `app/assets/windows/x64/conpty.dll` is a .dll binary (98,816 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80801, "scanner": "repobility-supply-chain", "fingerprint": "93a2735f470b85667bfdc5bfcf24d005716411986ca31d4f7c811b0905d9ce86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93a2735f470b85667bfdc5bfcf24d005716411986ca31d4f7c811b0905d9ce86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/conpty.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/vcruntime140_1.dll` committed in source repo: `app/assets/windows/x64/vcruntime140_1.dll` is a .dll binary (49,792 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80800, "scanner": "repobility-supply-chain", "fingerprint": "ab47d51ad6d28ec40295ff0b9900289739fcbc73311816d6964d94eaa33efe84", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab47d51ad6d28ec40295ff0b9900289739fcbc73311816d6964d94eaa33efe84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/vcruntime140_1.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/vcruntime140.dll` committed in source repo: `app/assets/windows/x64/vcruntime140.dll` is a .dll binary (124,520 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80799, "scanner": "repobility-supply-chain", "fingerprint": "e8bbc5bb53192718f3c6f63f03c1e0c50e1274bfec9d6d05f9e7bd6a44d0017c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8bbc5bb53192718f3c6f63f03c1e0c50e1274bfec9d6d05f9e7bd6a44d0017c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/vcruntime140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `app/assets/windows/x64/dxil.dll` committed in source repo: `app/assets/windows/x64/dxil.dll` is a .dll binary (1,525,280 bytes) committed to a repo that otherwise has 3502 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 80798, "scanner": "repobility-supply-chain", "fingerprint": "3e20e0e61c6f4f0e4a56d20dfb78d640cb8a4c89f81e8eb32a055c40cfadd4f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e20e0e61c6f4f0e4a56d20dfb78d640cb8a4c89f81e8eb32a055c40cfadd4f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/windows/x64/dxil.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `archlinux:base-devel` not pinned by digest: `FROM archlinux:base-devel` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 80797, "scanner": "repobility-supply-chain", "fingerprint": "109b7c249846cef2ccbaa3b5821570f5773b27bf141d5a01ee5b0981fa3f0f37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|109b7c249846cef2ccbaa3b5821570f5773b27bf141d5a01ee5b0981fa3f0f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/bundle_arch_package/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/oz-for-oss/.github/workflows/update-triage.yml` pinned to mutable ref `@main`: `uses: warpdotdev/oz-for-oss/.github/workflows/update-triage.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80796, "scanner": "repobility-supply-chain", "fingerprint": "63419754cb060dec4ffe648f062102197cad50414eef41f9e98eb7aea364b6f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63419754cb060dec4ffe648f062102197cad50414eef41f9e98eb7aea364b6f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-triage-local.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/oz-for-oss/.github/workflows/update-pr-review.yml` pinned to mutable ref `@main`: `uses: warpdotdev/oz-for-oss/.github/workflows/update-pr-review.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80795, "scanner": "repobility-supply-chain", "fingerprint": "7ad3e559ffb23042c5a980ea6d93a8ab4f314d7d0bfa7941c70e23ca9cad37ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ad3e559ffb23042c5a980ea6d93a8ab4f314d7d0bfa7941c70e23ca9cad37ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-pr-review-local.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/oz-for-oss/.github/workflows/update-dedupe.yml` pinned to mutable ref `@main`: `uses: warpdotdev/oz-for-oss/.github/workflows/update-dedupe.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80794, "scanner": "repobility-supply-chain", "fingerprint": "82526177726c96b5ce4d8930291fbb438fb8cadf9a9970004daaa2751f7b77bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82526177726c96b5ce4d8930291fbb438fb8cadf9a9970004daaa2751f7b77bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-dedupe-local.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/repo-sync/.github/workflows/escalation.yml` pinned to mutable ref `@main`: `uses: warpdotdev/repo-sync/.github/workflows/escalation.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80787, "scanner": "repobility-supply-chain", "fingerprint": "28ff579678b5994b826e906f12b61d07e9bf81e60be6632b3cc0d4f0367f694d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28ff579678b5994b826e906f12b61d07e9bf81e60be6632b3cc0d4f0367f694d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/repo-sync/.github/workflows/approve.yml` pinned to mutable ref `@main`: `uses: warpdotdev/repo-sync/.github/workflows/approve.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80786, "scanner": "repobility-supply-chain", "fingerprint": "3e894713372681c575245108bbf6ab10414316f54d194740adb3d828035c3fde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e894713372681c575245108bbf6ab10414316f54d194740adb3d828035c3fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/repo-sync/.github/workflows/restack.yml` pinned to mutable ref `@main`: `uses: warpdotdev/repo-sync/.github/workflows/restack.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80785, "scanner": "repobility-supply-chain", "fingerprint": "a534fc949b5013c07b2a91acaeb3bbbb4d501f76d720ee48f90400716e365ff5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a534fc949b5013c07b2a91acaeb3bbbb4d501f76d720ee48f90400716e365ff5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/repo-sync/.github/workflows/sync.yml` pinned to mutable ref `@main`: `uses: warpdotdev/repo-sync/.github/workflows/sync.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80784, "scanner": "repobility-supply-chain", "fingerprint": "dbbe7443c407b1480db93e8f161b2f67b52b5e9f90a8d5af9a1da0506d8d7908", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbbe7443c407b1480db93e8f161b2f67b52b5e9f90a8d5af9a1da0506d8d7908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/repo-sync/actions/validate-markers` pinned to mutable ref `@main`: `uses: warpdotdev/repo-sync/actions/validate-markers@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80775, "scanner": "repobility-supply-chain", "fingerprint": "2409f616c302a4f90c994274701f80ee446ee8ef870fa2f8e1ddc35a97125b67", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2409f616c302a4f90c994274701f80ee446ee8ef870fa2f8e1ddc35a97125b67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 690}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/oz-agent-action` pinned to mutable ref `@main`: `uses: warpdotdev/oz-agent-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80774, "scanner": "repobility-supply-chain", "fingerprint": "df93cc8d6d8576f0ea01be1122dcc381d6e12e0f3c2790a9dc09b492c8f33461", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df93cc8d6d8576f0ea01be1122dcc381d6e12e0f3c2790a9dc09b492c8f33461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feature_flag_cleanup.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `warpdotdev/oz-agent-action` pinned to mutable ref `@main`: `uses: warpdotdev/oz-agent-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80773, "scanner": "repobility-supply-chain", "fingerprint": "2ac29f8df12b29d27a7df23f76f837340c3fe7cb7472a7e9aa6c48238f16c964", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ac29f8df12b29d27a7df23f76f837340c3fe7cb7472a7e9aa6c48238f16c964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feature_flag_cleanup.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:latest` not pinned by digest: `FROM ubuntu:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 80772, "scanner": "repobility-supply-chain", "fingerprint": "f290f782e73e166d27c52a7b952bf322bc1139fdc7414155e4f2c55ea8ddf287", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f290f782e73e166d27c52a7b952bf322bc1139fdc7414155e4f2c55ea8ddf287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tests/ssh/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 80771, "scanner": "repobility-supply-chain", "fingerprint": "39d6f2dcf9c306359cf49371233a0a4f18b32dd7d65b0723618952d264f09854", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39d6f2dcf9c306359cf49371233a0a4f18b32dd7d65b0723618952d264f09854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/agent-dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:sid` not pinned by digest: `FROM debian:sid` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 80770, "scanner": "repobility-supply-chain", "fingerprint": "6b2e99314573b0d98a3277f74cb6dee25e10d3eaf564ee07325e9b7a44f4f0de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b2e99314573b0d98a3277f74cb6dee25e10d3eaf564ee07325e9b7a44f4f0de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80767, "scanner": "repobility-ast-engine", "fingerprint": "4f7dc44e132b877f4fb0e0b84c374ebc5d9141626d3c5fbcadebb8e76aa6de90", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f7dc44e132b877f4fb0e0b84c374ebc5d9141626d3c5fbcadebb8e76aa6de90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.headers` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80766, "scanner": "repobility-ast-engine", "fingerprint": "99af404fc677e2dc31776520c3ea14d2f9ed68801d18faa354a0217331c4c1f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99af404fc677e2dc31776520c3ea14d2f9ed68801d18faa354a0217331c4c1f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80765, "scanner": "repobility-ast-engine", "fingerprint": "62bfb019ad6a60336c7fc7348145ed7c28ef85254bba1081be4fa960ba846def", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62bfb019ad6a60336c7fc7348145ed7c28ef85254bba1081be4fa960ba846def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80764, "scanner": "repobility-ast-engine", "fingerprint": "a9aa1aacac39188fe0a7f4edf41d3505b0f3e3b7ab928623a907bc4c408459a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9aa1aacac39188fe0a7f4edf41d3505b0f3e3b7ab928623a907bc4c408459a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.rfile` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.rfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80763, "scanner": "repobility-ast-engine", "fingerprint": "8f77126546e4af1c3750cd388f28243314627d977a728a09f9f11cc9a9da25dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f77126546e4af1c3750cd388f28243314627d977a728a09f9f11cc9a9da25dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_error` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80762, "scanner": "repobility-ast-engine", "fingerprint": "786b7e2b2ac4abd59e10b2761894452729684728634fb7eb38facefba6e6402a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|786b7e2b2ac4abd59e10b2761894452729684728634fb7eb38facefba6e6402a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80761, "scanner": "repobility-ast-engine", "fingerprint": "9982cf33094e1dd30d32a4fc9ada65ad6382edc3137c709fb06f3bb212f17afe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9982cf33094e1dd30d32a4fc9ada65ad6382edc3137c709fb06f3bb212f17afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80760, "scanner": "repobility-ast-engine", "fingerprint": "17d5e93bd23ac5a2dfcbb106081db6876289933aaf071be17047d35ae81f9382", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17d5e93bd23ac5a2dfcbb106081db6876289933aaf071be17047d35ae81f9382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80759, "scanner": "repobility-ast-engine", "fingerprint": "a40d950cbf54f6a7bf2a31c3680846629521ce93c975c5a9bd7ab57ef1d29e26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a40d950cbf54f6a7bf2a31c3680846629521ce93c975c5a9bd7ab57ef1d29e26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_POST` of class `ReviewHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80758, "scanner": "repobility-ast-engine", "fingerprint": "07c0e011a258bc7508015fbc4165d3fe07b90651d89727b43df97ebed7454f6e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07c0e011a258bc7508015fbc4165d3fe07b90651d89727b43df97ebed7454f6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80757, "scanner": "repobility-ast-engine", "fingerprint": "aac03f5a25b45a869b48676f4277166f52be944e765be9aa79b4789c16bfc0bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aac03f5a25b45a869b48676f4277166f52be944e765be9aa79b4789c16bfc0bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_error` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80756, "scanner": "repobility-ast-engine", "fingerprint": "83171c98394c283558478b3794751e0a56625f74baeb45fdd7fa8c64548cfae8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83171c98394c283558478b3794751e0a56625f74baeb45fdd7fa8c64548cfae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80755, "scanner": "repobility-ast-engine", "fingerprint": "ff06ff94e103fea9d30fd8717a83f1baaf376e074633b5070f3e33d4ea1de690", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff06ff94e103fea9d30fd8717a83f1baaf376e074633b5070f3e33d4ea1de690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80754, "scanner": "repobility-ast-engine", "fingerprint": "5517f04a6de73267ac46032915943a45720ec804b59151ac1a6f9116eea650c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5517f04a6de73267ac46032915943a45720ec804b59151ac1a6f9116eea650c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80753, "scanner": "repobility-ast-engine", "fingerprint": "6fb6412c829d133fb6e97fc121868b530fbf613789f42e7425d18191cb926497", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fb6412c829d133fb6e97fc121868b530fbf613789f42e7425d18191cb926497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80752, "scanner": "repobility-ast-engine", "fingerprint": "51313a30d2cf7e9065e56239ccd73ec765245f1da15ff4e65befc40d030b025d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51313a30d2cf7e9065e56239ccd73ec765245f1da15ff4e65befc40d030b025d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80751, "scanner": "repobility-ast-engine", "fingerprint": "a1b002bddac69997df205802b24ed70ead3a5031e6ba613d9d851494743184f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1b002bddac69997df205802b24ed70ead3a5031e6ba613d9d851494743184f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80750, "scanner": "repobility-ast-engine", "fingerprint": "a0b72830833b5c4f210f285dc103608a7b5f3943d93a75214421270ff88a4ce9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0b72830833b5c4f210f285dc103608a7b5f3943d93a75214421270ff88a4ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 349}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80749, "scanner": "repobility-ast-engine", "fingerprint": "841b741d59e80a5d2de51ba8cd7c1b1eb76c1953f1514221a328759cf639c035", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|841b741d59e80a5d2de51ba8cd7c1b1eb76c1953f1514221a328759cf639c035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80748, "scanner": "repobility-ast-engine", "fingerprint": "57aece04bb11930cfee050f9a2d774459769493bf584d50d5a7856b246b16eb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57aece04bb11930cfee050f9a2d774459769493bf584d50d5a7856b246b16eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80747, "scanner": "repobility-ast-engine", "fingerprint": "e57d7ff048caa0f2b7edddc5789a3dfb9eb47349194ff79ab400d1376ada71a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e57d7ff048caa0f2b7edddc5789a3dfb9eb47349194ff79ab400d1376ada71a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80746, "scanner": "repobility-ast-engine", "fingerprint": "29714b1c90f4e19b66ac9136783587cc124d4c9fea9bd37110752ec114011b6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29714b1c90f4e19b66ac9136783587cc124d4c9fea9bd37110752ec114011b6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 80745, "scanner": "repobility-ast-engine", "fingerprint": "869fba0218d9abc398adbd813d561093d884292640d93659ec30089a9d111d30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|869fba0218d9abc398adbd813d561093d884292640d93659ec30089a9d111d30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80736, "scanner": "repobility-docker", "fingerprint": "82b8aab756a32cf5edb28797d2578f2cad2f9953766ae461d126b9fb1430eccc", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|82b8aab756a32cf5edb28797d2578f2cad2f9953766ae461d126b9fb1430eccc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-dev/Dockerfile"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80728, "scanner": "repobility-docker", "fingerprint": "26e157d19fa7ca38a0578650eef2903302afc29c5b0de5636ba1e5f8e7b890c9", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|26e157d19fa7ca38a0578650eef2903302afc29c5b0de5636ba1e5f8e7b890c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/agent-dev/Dockerfile"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80727, "scanner": "repobility-docker", "fingerprint": "6bb88ad3cb20fad471196d9f47395b883d4861762d603c9d7aa3fb973486234f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6bb88ad3cb20fad471196d9f47395b883d4861762d603c9d7aa3fb973486234f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/agent-dev/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 80675, "scanner": "repobility-threat-engine", "fingerprint": "c08315d6ac42c3d4fe33d73396bea84b19e8913e1a074355a198afbef77607ba", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vd2FycC1zZXJ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|14|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 80669, "scanner": "repobility-threat-engine", "fingerprint": "f43869da189fffc54cc9a308fedb8b27dc51884cc9ec426fc04ee2441b8fb2cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f43869da189fffc54cc9a308fedb8b27dc51884cc9ec426fc04ee2441b8fb2cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 80660, "scanner": "repobility-threat-engine", "fingerprint": "597d41de6b3784e22ee3c84a0c543e2c25ba282af3fc4d30cc44783e12986b79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|597d41de6b3784e22ee3c84a0c543e2c25ba282af3fc4d30cc44783e12986b79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pane_group/pane/welcome_view.rs"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 80657, "scanner": "repobility-threat-engine", "fingerprint": "6d4317a5abb5938404b21198f1b51252f40c79342aead41f8117e6d16ee3c286", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d4317a5abb5938404b21198f1b51252f40c79342aead41f8117e6d16ee3c286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/lsp/src/servers/go.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 80656, "scanner": "repobility-threat-engine", "fingerprint": "04da9c370851175bd0c47e2a957bfd49c91d665e5f51d501da6ccc76be04e5b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04da9c370851175bd0c47e2a957bfd49c91d665e5f51d501da6ccc76be04e5b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/lsp/src/servers/clangd.rs"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 80655, "scanner": "repobility-threat-engine", "fingerprint": "953e0f37c595807c2dd596126f5d6463c027413bff8180ee0c61016c7238a1d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|953e0f37c595807c2dd596126f5d6463c027413bff8180ee0c61016c7238a1d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/integration_testing/terminal/util.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 80654, "scanner": "repobility-threat-engine", "fingerprint": "7e02284198cc67878a5312f6207b280c5e59329d2db88b47d63657afc1c53b38", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|26|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/integration_testing/subshell/util.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 80649, "scanner": "repobility-threat-engine", "fingerprint": "f1fad041e68c0cb4cdf454b00a63d991bd8c67fc5ff222d48cca0f4d36d3897f", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(&request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|163|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/skills/global_skills_tests.rs"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 80631, "scanner": "repobility-threat-engine", "fingerprint": "6fb601760070eee2e524a3bd24a9c433be79b97aea9fd353e37aa79171c60397", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fb601760070eee2e524a3bd24a9c433be79b97aea9fd353e37aa79171c60397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/mod_tests.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 80630, "scanner": "repobility-threat-engine", "fingerprint": "7b89a6788ac3fb7c57ecd37f7ecc30f9630220fafcc1f680a3c72f7c55a8e743", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b89a6788ac3fb7c57ecd37f7ecc30f9630220fafcc1f680a3c72f7c55a8e743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent/api/convert_to_tests.rs"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 80629, "scanner": "repobility-threat-engine", "fingerprint": "01f91376010837c408239291ee8df5e4d97ba73d120dec8f01f0aaea2d353bc6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01f91376010837c408239291ee8df5e4d97ba73d120dec8f01f0aaea2d353bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/active_agent_views_model_tests.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80627, "scanner": "repobility-threat-engine", "fingerprint": "58e4cd2db4ef779cf4fdf20f4bb89a921ef9fdde49bdea1aad68b7386a6d069c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "runner.update(ctx, move |_, ctx| {\n        let refresh_future = super::common::refresh_workspace", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58e4cd2db4ef779cf4fdf20f4bb89a921ef9fdde49bdea1aad68b7386a6d069c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_sdk/admin.rs"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80626, "scanner": "repobility-threat-engine", "fingerprint": "cc9542f9dc0db201a6f7cceba592bc831e38aae714ed2b27f27b6db50253c37e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "notifications.update(&mut app, |model, _| {\n            let artifacts = model.flush_pending", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc9542f9dc0db201a6f7cceba592bc831e38aae714ed2b27f27b6db50253c37e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/agent_management/agent_management_model_tests.rs"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80625, "scanner": "repobility-threat-engine", "fingerprint": "ff9bf116a7d9663261300c95e6af7aba528366b639cbaed826355a7f6a4e5c06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "model.update(&mut app, |model, ctx| {\n            model.handle_pane_focus_change(window_a, N", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff9bf116a7d9663261300c95e6af7aba528366b639cbaed826355a7f6a4e5c06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/active_agent_views_model_tests.rs"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80618, "scanner": "repobility-threat-engine", "fingerprint": "d56b1dbe68d18599235586c05b1c74741772710d71e463c5a73df60077efb020", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d56b1dbe68d18599235586c05b1c74741772710d71e463c5a73df60077efb020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/auth/needs_sso_link_view.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80617, "scanner": "repobility-threat-engine", "fingerprint": "bb3175a4a870b136b8f7fc79d165c7fbe03ea61afa365bc9d2a9f5ff81af094a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb3175a4a870b136b8f7fc79d165c7fbe03ea61afa365bc9d2a9f5ff81af094a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/ai/ambient_agents/github_auth_url.rs"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80616, "scanner": "repobility-threat-engine", "fingerprint": "73520003a1edaef53d60afc0382c81aef70bb65c34f04716e332aeb27b473231", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73520003a1edaef53d60afc0382c81aef70bb65c34f04716e332aeb27b473231"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/build_slack_payload.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 80615, "scanner": "repobility-threat-engine", "fingerprint": "d6fd9b030368edc99ae19f6ffe447bcf46ebd8b8ac0713f48af664640e3b5d33", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|. token|100|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/convert_to_release_json.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 80614, "scanner": "repobility-threat-engine", "fingerprint": "7018a3fc9e04fb23bb8df59e1afa311df1bd009376fb387e1724a5f5a5341c43", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|. token|166|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/changelog-draft/scripts/build_slack_payload.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_SYNC_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_SYNC_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80793, "scanner": "repobility-supply-chain", "fingerprint": "6b100b166744e101f5a15291c5129a2238363d323d804b83fc7468df795b1104", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b100b166744e101f5a15291c5129a2238363d323d804b83fc7468df795b1104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_SYNC_APPROVER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_SYNC_APPROVER_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80792, "scanner": "repobility-supply-chain", "fingerprint": "b15089ed5a92bb7438b30e2c0346cd6f8ca3cabecb707983ca762c4d8943530c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b15089ed5a92bb7438b30e2c0346cd6f8ca3cabecb707983ca762c4d8943530c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WARP_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WARP_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80791, "scanner": "repobility-supply-chain", "fingerprint": "61389f423bdeefadfe6590c002517f6e0d88b60cfaa273426e6483c5b88864c3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61389f423bdeefadfe6590c002517f6e0d88b60cfaa273426e6483c5b88864c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_SYNC_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_SYNC_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80790, "scanner": "repobility-supply-chain", "fingerprint": "afbca550a83a565b22384a0ff4319702102aac7b2f44342c10b37dd678c11080", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afbca550a83a565b22384a0ff4319702102aac7b2f44342c10b37dd678c11080"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WARP_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WARP_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80789, "scanner": "repobility-supply-chain", "fingerprint": "64cff4eb41e4a11257e9d9aaf492e706f8c362ced239165f8a5b72080a0ff41a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64cff4eb41e4a11257e9d9aaf492e706f8c362ced239165f8a5b72080a0ff41a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_SYNC_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_SYNC_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80788, "scanner": "repobility-supply-chain", "fingerprint": "52c140e6a44de23bb2cac1dab01e5bf634b0453cb9f27cc74b4cfc40bea9eb16", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52c140e6a44de23bb2cac1dab01e5bf634b0453cb9f27cc74b4cfc40bea9eb16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo-sync.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80783, "scanner": "repobility-supply-chain", "fingerprint": "67d0935fbc3c741da26efc800830368a2c30fbdd53b444f8d3dee501c4f15131", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67d0935fbc3c741da26efc800830368a2c30fbdd53b444f8d3dee501c4f15131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 538}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80782, "scanner": "repobility-supply-chain", "fingerprint": "f1a5c93eeeab210d40bc44af347357e69fceb578415155c70bd3f04413943908", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1a5c93eeeab210d40bc44af347357e69fceb578415155c70bd3f04413943908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 420}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80781, "scanner": "repobility-supply-chain", "fingerprint": "1da87bea8685429c8c1dcbf5056959b648cff1458f3c15023e103bd09cb07cc0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1da87bea8685429c8c1dcbf5056959b648cff1458f3c15023e103bd09cb07cc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80780, "scanner": "repobility-supply-chain", "fingerprint": "829712e0fe1018b50ef27656a7dc1ee70cc6bef3e05becbdc2f0951182a645b0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|829712e0fe1018b50ef27656a7dc1ee70cc6bef3e05becbdc2f0951182a645b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80779, "scanner": "repobility-supply-chain", "fingerprint": "882067998bf35923ac964602a82e1a76c319154ef0997e3ca5488a69a878ea8a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|882067998bf35923ac964602a82e1a76c319154ef0997e3ca5488a69a878ea8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80778, "scanner": "repobility-supply-chain", "fingerprint": "0a1d8ae577820ac3a23f3ede6c189167e207dc996c7a1895664c9ff3d34d81ee", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a1d8ae577820ac3a23f3ede6c189167e207dc996c7a1895664c9ff3d34d81ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80777, "scanner": "repobility-supply-chain", "fingerprint": "dd047b1b73044590f02049956c46ab9bb740956524ec56b59a9c2773a72d3061", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd047b1b73044590f02049956c46ab9bb740956524ec56b59a9c2773a72d3061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 80776, "scanner": "repobility-supply-chain", "fingerprint": "5566c8570185a8e6632397d61b80bf0ffbc1b37dba418c176b95683a8e8ffb97", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5566c8570185a8e6632397d61b80bf0ffbc1b37dba418c176b95683a8e8ffb97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 80744, "scanner": "repobility-ast-engine", "fingerprint": "181edcf1c3f0dedc8472f29476b8174d379144e7b47410ee2d38443b8104b115", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|181edcf1c3f0dedc8472f29476b8174d379144e7b47410ee2d38443b8104b115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/bundled/skills/create-skill/eval-viewer/generate_review.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 80677, "scanner": "repobility-threat-engine", "fingerprint": "8b8fcb9afb932c98c5860a685177917fb229d44ac246cbef64bbc4df37eadf9e", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|postgresql://user:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cloud_object_models/src/mcp_tests.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC051", "level": "error", "message": {"text": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stripe-access-token (MIT)."}, "properties": {"repobilityId": 80674, "scanner": "repobility-threat-engine", "fingerprint": "e85ee27494c1d0974a2b8401d696af5847ed417ad65b62a706d999f9a5e4c600", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sk_live_4eC39HqLyjWDarjtT1zdp7dc", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC051", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC049", "level": "error", "message": {"text": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT)."}, "properties": {"repobilityId": 80673, "scanner": "repobility-threat-engine", "fingerprint": "6b98c6835a86af67e3f60f008767ce155f768bac4cc6166c7e43d8633da1af29", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC049", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|6|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC048", "level": "error", "message": {"text": "[SEC048] AWS access key (any prefix): AWS access key ID detected (supports access, session, batch, codecommit prefixes). Ported from gitleaks aws-access-token (MIT)."}, "properties": {"repobilityId": 80667, "scanner": "repobility-threat-engine", "fingerprint": "9a80a8258b5eb25b4739c329e1ada5376b4beb464c5ff1c8bdd8804c12a9cbd5", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ASIAZRUF5DH7SYC4A3NF", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC048", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|10|asiazruf5dh7syc4a3nf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 80665, "scanner": "repobility-threat-engine", "fingerprint": "6a8cb6f2313f7cb09362ecee8dfdedf926a183eff28c57a0dd07580e56cef732", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "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", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|2|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 80662, "scanner": "repobility-threat-engine", "fingerprint": "1b3842aa5051dbda08396846ffda8233c3e4bdd5ff107b41ce8132b5aae23d0d", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.8 bits) \u2014 likely real secret", "evidence": {"match": "api_key = \"<redacted>\"", "reason": "High entropy value (4.8 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/terminal/model/secrets_tests.rs"}, "region": {"startLine": 16}}}]}]}]}