{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `render` has cognitive complexity 14 (SonarSource scale). Cognitive comple", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `render` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all we"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 14."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgve", "shortDescription": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgvector:pg17` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the "}, "fullDescription": {"text": "Replace with `pgvector/pgvector:pg17@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `ariga/atlas-action/migrate/push` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/", "shortDescription": {"text": "[MINED115] Action `ariga/atlas-action/migrate/push` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/push@v1.14.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-ac"}, "fullDescription": {"text": "Replace with: `uses: ariga/atlas-action/migrate/push@<40-char-sha>  # v1.14.5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `react-datepicker.css` pulled from URL/Git: `dependencies.react-datepicker.css` = `link:reac", "shortDescription": {"text": "[MINED122] package.json dep `react-datepicker.css` pulled from URL/Git: `dependencies.react-datepicker.css` = `link:react-datepicker/dist/react-datepicker.css` bypasses the npm registry. No integrity hash, no version locking, no registry-si"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC126", "name": "[SEC126] LLM prompt leakage in code comments (Generate me a function that...): The author's prompt to an LLM (or the LLM", "shortDescription": {"text": "[SEC126] LLM prompt leakage in code comments (Generate me a function that...): The author's prompt to an LLM (or the LLM's preamble) was committed as a code comment. This leaks the threat model, the AI tooling in use, and often the original"}, "fullDescription": {"text": "Remove the comment. If you want to document AI authorship, use a neutral tag like `# generated-by: codegen` rather than the literal prompt. Add a pre-commit hook that rejects comments starting with `Generate me`, `Sure!`, `Here's`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GRAM_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_req", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GRAM_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRAM_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1265"}, "properties": {"repository": "speakeasy-api/gram", "repoUrl": "https://github.com/speakeasy-api/gram", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128455, "scanner": "repobility-journey-contract", "fingerprint": "2435a0598a4a64d62d897803c30610da7ba1cefba08f738abe11635346dd9b72", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|49|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/access/ShadowMCPRequestAccessContent.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128454, "scanner": "repobility-journey-contract", "fingerprint": "b40bd0d7f45237845f2a9e4d5658e51a5edd1921cff1119e3cac486615deb935", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|43|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/access/ShadowMCPRequestAccessContent.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 128453, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 3, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 128452, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL", "Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 128451, "scanner": "repobility-agent-runtime", "fingerprint": "3c971ea3054bbddbd7c293ceda5a805912fcd9d2bafa0932a8e0ae5720925641", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3c971ea3054bbddbd7c293ceda5a805912fcd9d2bafa0932a8e0ae5720925641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ui/use-view-mode.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 128450, "scanner": "repobility-agent-runtime", "fingerprint": "00e1c6470ff982a32a404626ae0622e2cdfad07729bfaece79e6bab8ecddfb70", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|00e1c6470ff982a32a404626ae0622e2cdfad07729bfaece79e6bab8ecddfb70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/InsightsMCP.tsx"}, "region": {"startLine": 477}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 128449, "scanner": "repobility-agent-runtime", "fingerprint": "841d923492d1265df8c5c8c132db0f2a8c82967ff3746e058adf63dbfbf6f7f4", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|841d923492d1265df8c5c8c132db0f2a8c82967ff3746e058adf63dbfbf6f7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/dev-toolbar.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 128448, "scanner": "repobility-agent-runtime", "fingerprint": "7ae5d3df5c83ff0b056ccc9a9afedfce5e659ba80f01c077350d3439fcc0427b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7ae5d3df5c83ff0b056ccc9a9afedfce5e659ba80f01c077350d3439fcc0427b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 104}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 128447, "scanner": "repobility-agent-runtime", "fingerprint": "4df188cb173be9826e6c9c744d72a55bf513c93468d185d7828263c5a629f2e9", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4df188cb173be9826e6c9c744d72a55bf513c93468d185d7828263c5a629f2e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/public-oas-generation.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 128430, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 128429, "scanner": "repobility-threat-engine", "fingerprint": "d6f42adae2e43fad79ff8b54ff44f8e504cee5430f18debaa9b06b7d876ba134", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * area[0] * 0.5; // Only positiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6f42adae2e43fad79ff8b54ff44f8e504cee5430f18debaa9b06b7d876ba134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/webgl/ascii-stars.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 128411, "scanner": "repobility-threat-engine", "fingerprint": "7127407213a2478eefdc9a7e275b1646e297cef1f0352007c9d99fb234a6fa6a", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = buildLoginRedirectURL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7127407213a2478eefdc9a7e275b1646e297cef1f0352007c9d99fb234a6fa6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/access/ShadowMCPRequestAccessContent.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 128406, "scanner": "repobility-threat-engine", "fingerprint": "e92bca01ce4b7fbc2892eddb5a1a1ffd4e6ba419d04fbe85f1e5415cc1d3bf06", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(link, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|20|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/billing/usage-controls.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 128405, "scanner": "repobility-threat-engine", "fingerprint": "3721cef4f9ed02aa4bf33d8c1e9bea494c7665472d14edbab30843beccfae91f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(routes.billing.href()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|74|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/FeatureRequestModal.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 128402, "scanner": "repobility-threat-engine", "fingerprint": "7a991922a87c3642fa69290f84676d6acae20a0de5294bb319c48b85bcce2c8d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tHandler:      mux,\n\t\tReadTimeout:  10 * time.Second,\n\t\tWriteTimeout: 10 * time.Second", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a991922a87c3642fa69290f84676d6acae20a0de5294bb319c48b85bcce2c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/auth/listener.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128446, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d45ae17d4f61822ddc8c3928c181d327866c20bf1b684c4c8f8f183239faab0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/moon/label.tsx", "duplicate_line": 1, "correlation_key": "fp|d45ae17d4f61822ddc8c3928c181d327866c20bf1b684c4c8f8f183239faab0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ui/label.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128445, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a63e43f72d263b61be02bedee88616a688712f83955d4e8c4a41b8d6991e1fe3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/chart/MetricCard.tsx", "duplicate_line": 67, "correlation_key": "fp|a63e43f72d263b61be02bedee88616a688712f83955d4e8c4a41b8d6991e1fe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ui/dashboard-card.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128444, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f981401ccd5c374df4438818e83d3ad7ce1a8f588d405b6dacbbfe742cf28d98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/InsightsEmployees.tsx", "duplicate_line": 8, "correlation_key": "fp|f981401ccd5c374df4438818e83d3ad7ce1a8f588d405b6dacbbfe742cf28d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ui/combobox.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128443, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7f78b2f10ec027d718862a4cd0f4e472b6cd010af2df622d24f8606fba0cbd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/project-menu.tsx", "duplicate_line": 99, "correlation_key": "fp|c7f78b2f10ec027d718862a4cd0f4e472b6cd010af2df622d24f8606fba0cbd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/top-header.tsx"}, "region": {"startLine": 338}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128442, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8c1386e130a91842a2f9caf4cb6040cf7c7777f576e0f1621d4a3d16e706d52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/sources/ViewAssetDialogContent.tsx", "duplicate_line": 28, "correlation_key": "fp|a8c1386e130a91842a2f9caf4cb6040cf7c7777f576e0f1621d4a3d16e706d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/sources/useFetchSourceContent.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128441, "scanner": "repobility-ai-code-hygiene", "fingerprint": "495ff2d35e12a243bb71a4095e725c5bddfa8df4847e5833a2c0d642f13d3826", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/sources/ViewAssetDialogContent.tsx", "duplicate_line": 95, "correlation_key": "fp|495ff2d35e12a243bb71a4095e725c5bddfa8df4847e5833a2c0d642f13d3826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/sources/ViewSourceDialogContent.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128440, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9c293734d0b5dfeaa99dd23e0a48482e0fc7aadf272136ff52d696cab100653", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/sources/Sources.tsx", "duplicate_line": 266, "correlation_key": "fp|d9c293734d0b5dfeaa99dd23e0a48482e0fc7aadf272136ff52d696cab100653"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/sources/SourcesEmptyState.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128439, "scanner": "repobility-ai-code-hygiene", "fingerprint": "961974df2ed131af554bf0028439208cc65d276297a3585203474862003d2512", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/sources/SourceCard.tsx", "duplicate_line": 69, "correlation_key": "fp|961974df2ed131af554bf0028439208cc65d276297a3585203474862003d2512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/sources/SourceTableRow.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128438, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9c552049be8ccdc3363ef749faa019038767a4772bbd4409059ea6628678cc0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/app-sidebar.tsx", "duplicate_line": 30, "correlation_key": "fp|f9c552049be8ccdc3363ef749faa019038767a4772bbd4409059ea6628678cc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/org-sidebar.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128437, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56b5479eb88fd0b8d812deaee63094d8d5f0e890ad2a1f9512330fd676d8241e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/LogsMCP.tsx", "duplicate_line": 99, "correlation_key": "fp|56b5479eb88fd0b8d812deaee63094d8d5f0e890ad2a1f9512330fd676d8241e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/useObserveFilters.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128436, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bf99d4038b1d8136ccbdac633fb11ae0f7c99e5720b17337fa8e453c907cddd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/LogsAgents.tsx", "duplicate_line": 142, "correlation_key": "fp|7bf99d4038b1d8136ccbdac633fb11ae0f7c99e5720b17337fa8e453c907cddd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/useObserveFilters.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128435, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2775941d3123e48b39bcd8afee32cdb31ada84b5befd9e30c814c4fa1365e79b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/LogsAgents.tsx", "duplicate_line": 142, "correlation_key": "fp|2775941d3123e48b39bcd8afee32cdb31ada84b5befd9e30c814c4fa1365e79b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/useDateRangeFilter.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128434, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34ed9aa1356032cf0c155c011c389d913863ea9cc5d3914af0c0acc2144e5ec9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/LogsMCP.tsx", "duplicate_line": 87, "correlation_key": "fp|34ed9aa1356032cf0c155c011c389d913863ea9cc5d3914af0c0acc2144e5ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/useDateRangeFilter.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128433, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76dd46532a33ef34c029eaab640bd17f249c879ffa9926287a0b36c1ab55cd95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/observe/LogsAgents.tsx", "duplicate_line": 142, "correlation_key": "fp|76dd46532a33ef34c029eaab640bd17f249c879ffa9926287a0b36c1ab55cd95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/LogsMCP.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128432, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ec396f8fe694ee3660002052eed52f776ba04a9f655aa4d04f4a7192efc6fc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/dashboard/src/components/mcp/MCPCard.tsx", "duplicate_line": 108, "correlation_key": "fp|6ec396f8fe694ee3660002052eed52f776ba04a9f655aa4d04f4a7192efc6fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/mcp/MCPTableRow.tsx"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128431, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc5b827ce8cabb10f2aeb1103d96ac483443724e753c0b9c1739669b98a70d4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/internal/app/install_claude_code.go", "duplicate_line": 19, "correlation_key": "fp|dc5b827ce8cabb10f2aeb1103d96ac483443724e753c0b9c1739669b98a70d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/install_gemini_cli.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 128395, "scanner": "repobility-threat-engine", "fingerprint": "4ad4a7dab815fceec705e47c25a7cc424ff5d1628109cef1c01257d02ed53169", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fmt.Fprint(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ad4a7dab815fceec705e47c25a7cc424ff5d1628109cef1c01257d02ed53169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/auth/listener.go"}, "region": {"startLine": 220}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 128394, "scanner": "repobility-threat-engine", "fingerprint": "d24aed9f8bb5326280311df14e365e5c318135b7cbba024fce4bb185aef35e9a", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = profile.LoadByName(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d24aed9f8bb5326280311df14e365e5c318135b7cbba024fce4bb185aef35e9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/auth.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `render` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, if=5, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 128384, "scanner": "repobility-threat-engine", "fingerprint": "352ad0c9faa3bcc68547470078413b33f58a4aa4f54cfc25b0d73ee273d909d8", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "render", "breakdown": {"if": 5, "elif": 1, "else": 2, "ternary": 1, "nested_bonus": 5}, "complexity": 14, "correlation_key": "fp|352ad0c9faa3bcc68547470078413b33f58a4aa4f54cfc25b0d73ee273d909d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/risk-metrics-comment.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 128427, "scanner": "repobility-threat-engine", "fingerprint": "fe53ff1599160fc3cb49171b298688619c4cd077198006cc0b6021aa11a79e6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe53ff1599160fc3cb49171b298688619c4cd077198006cc0b6021aa11a79e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/monaco-editor.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128426, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128425, "scanner": "repobility-threat-engine", "fingerprint": "38f89ae262d811dfec37199f8fb5806feaa39f66b3ad4eeb4be31902784cf859", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38f89ae262d811dfec37199f8fb5806feaa39f66b3ad4eeb4be31902784cf859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/upload-asset/deploy-step.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128424, "scanner": "repobility-threat-engine", "fingerprint": "78dd9c4b44076b6e7c8402b56809f9d6c0183ec76966e2e9a8056757d478fd36", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78dd9c4b44076b6e7c8402b56809f9d6c0183ec76966e2e9a8056757d478fd36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/sources/UploadOpenApiDialogContent.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128423, "scanner": "repobility-threat-engine", "fingerprint": "62c70bd18d167e72a3a2ff58e7901135788976d0850c80d67dc85dc806e44679", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62c70bd18d167e72a3a2ff58e7901135788976d0850c80d67dc85dc806e44679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/content-error-boundary.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 128422, "scanner": "repobility-threat-engine", "fingerprint": "42ee92d37a2e42aa901260f840b00592ce9850051038c64b37c3a94bec9d0a07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42ee92d37a2e42aa901260f840b00592ce9850051038c64b37c3a94bec9d0a07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ui/code-block.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 128421, "scanner": "repobility-threat-engine", "fingerprint": "c915490d64f48ba0cd1a2fdc8e26fa49015b32c69b6a910895dbdc1243c30046", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c915490d64f48ba0cd1a2fdc8e26fa49015b32c69b6a910895dbdc1243c30046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/code.tsx"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 128420, "scanner": "repobility-threat-engine", "fingerprint": "8358846005692cc32f07b291eff02a6e6d6d49c5483904d60be6aef2e6ccb9c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8358846005692cc32f07b291eff02a6e6d6d49c5483904d60be6aef2e6ccb9c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ai-elements/code-block.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 128419, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 128418, "scanner": "repobility-threat-engine", "fingerprint": "3cc66a03f0ec6e44525089d348bc60f0cba39e0f72d12f4d3f62e536d90c976d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cc66a03f0ec6e44525089d348bc60f0cba39e0f72d12f4d3f62e536d90c976d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/mcp/MCPCard.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 128417, "scanner": "repobility-threat-engine", "fingerprint": "815ad23caf764bccce1e24394f17e9a179b9e22fa20844ed5aa37ff31a219f0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|815ad23caf764bccce1e24394f17e9a179b9e22fa20844ed5aa37ff31a219f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ai-elements/tool.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 128416, "scanner": "repobility-threat-engine", "fingerprint": "2197585fa69a57b4ae2e23848de6e1ed995fe51c906ded39ce8efca6252d7dab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2197585fa69a57b4ae2e23848de6e1ed995fe51c906ded39ce8efca6252d7dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ai-elements/code-block.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 128415, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 128410, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128409, "scanner": "repobility-threat-engine", "fingerprint": "c29614d603348f434465a1d5689624d04d9e6cc269a50468922dcac9254b579e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c29614d603348f434465a1d5689624d04d9e6cc269a50468922dcac9254b579e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/functions/GettingStartedInstructions.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128408, "scanner": "repobility-threat-engine", "fingerprint": "44f16c27e4b669dc7447c0d4f39abc4132dadd56a3730b09e855856ec24ce106", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44f16c27e4b669dc7447c0d4f39abc4132dadd56a3730b09e855856ec24ce106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/billing/usage-controls.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128407, "scanner": "repobility-threat-engine", "fingerprint": "ff5f12b052bc37ba5f7288b9877028c3e611538b27dbe380738b9985b47b4038", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff5f12b052bc37ba5f7288b9877028c3e611538b27dbe380738b9985b47b4038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/ObservabilitySkeleton.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128404, "scanner": "repobility-threat-engine", "fingerprint": "0b47f8a80cfe22dd1a3c117de71d64d0c5280fdcbd1dae568fdbe2328f4e182f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b47f8a80cfe22dd1a3c117de71d64d0c5280fdcbd1dae568fdbe2328f4e182f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/mcp_install_page/useMcpMetadataForm.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128403, "scanner": "repobility-threat-engine", "fingerprint": "152926b117403c0c20ee0771c8fc56c24c4c70bcfabf60e3e16af9a18379196a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|152926b117403c0c20ee0771c8fc56c24c4c70bcfabf60e3e16af9a18379196a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/deploy/source_reader.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128401, "scanner": "repobility-threat-engine", "fingerprint": "709bca542cd28c71e4073d9d41e64ad279b9f050c5d517d18ae15a6ddfd9c27f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|709bca542cd28c71e4073d9d41e64ad279b9f050c5d517d18ae15a6ddfd9c27f", "aggregated_count": 1}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 128397, "scanner": "repobility-threat-engine", "fingerprint": "e6cb8741bedd0cc28d040b809a833fba8b8331acece88522d51c4613c57932da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e6cb8741bedd0cc28d040b809a833fba8b8331acece88522d51c4613c57932da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/must/value.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 128396, "scanner": "repobility-threat-engine", "fingerprint": "ca8ad1fa988939936a243b66a27afd777f220d0180585f1e5a25ad7508d05692", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca8ad1fa988939936a243b66a27afd777f220d0180585f1e5a25ad7508d05692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/logging/logging.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 128393, "scanner": "repobility-threat-engine", "fingerprint": "f3dc701057ea082eab932ad314c484e966b3ab0f4ffdc1eee50910c00e2f5c92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3dc701057ea082eab932ad314c484e966b3ab0f4ffdc1eee50910c00e2f5c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 128392, "scanner": "repobility-threat-engine", "fingerprint": "ed8152daa87c1baaa8b9991a950942ae297948c7b2169832b497dd5c2f491439", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed8152daa87c1baaa8b9991a950942ae297948c7b2169832b497dd5c2f491439"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/auth.go"}, "region": {"startLine": 232}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 128391, "scanner": "repobility-threat-engine", "fingerprint": "2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249"}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128387, "scanner": "repobility-threat-engine", "fingerprint": "5537ab517bb54ec60dd3c6ed8fcf1af33e836c98cb3f67070b8a7041fe9f6b69", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5537ab517bb54ec60dd3c6ed8fcf1af33e836c98cb3f67070b8a7041fe9f6b69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agents/runner/src/workdir.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 128386, "scanner": "repobility-threat-engine", "fingerprint": "bddf8155c8c6965e04753fe452b4c68f206f0c0db3c3dc899681e60b4c9a02f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bddf8155c8c6965e04753fe452b4c68f206f0c0db3c3dc899681e60b4c9a02f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agents/runner/src/workdir.rs"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 128385, "scanner": "repobility-threat-engine", "fingerprint": "6b01b2a6e96cd5478917f7518d95de676a9cd2d5ea3374677de9732a2107f741", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b01b2a6e96cd5478917f7518d95de676a9cd2d5ea3374677de9732a2107f741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agents/runner/src/tools/bun_run.rs"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgvector:pg17` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128491, "scanner": "repobility-supply-chain", "fingerprint": "a619b5cdd10abedaebfbbfb5ae7994d4d73b0cafc9f8f2f66fa2df55d9fa1c1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a619b5cdd10abedaebfbbfb5ae7994d4d73b0cafc9f8f2f66fa2df55d9fa1c1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 684}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgvector:pg17` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128490, "scanner": "repobility-supply-chain", "fingerprint": "d4bc9641c1190f7edc8fc3ad5e0dae49045456b1d238dd31fc54671c40427215", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4bc9641c1190f7edc8fc3ad5e0dae49045456b1d238dd31fc54671c40427215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 583}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgvector:pg17` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128489, "scanner": "repobility-supply-chain", "fingerprint": "07ed4707d599f70938094f211832eca221bdb74ac7bda678adae942c2f73ace4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07ed4707d599f70938094f211832eca221bdb74ac7bda678adae942c2f73ace4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 475}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg17` unpinned: `container/services image: pgvector/pgvector:pg17` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128488, "scanner": "repobility-supply-chain", "fingerprint": "a0a4ec384a54f743390864fa3c8b5c3ab1a66710f1ccd41ca6ce16602e204510", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0a4ec384a54f743390864fa3c8b5c3ab1a66710f1ccd41ca6ce16602e204510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 411}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ariga/atlas-action/migrate/push` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/push@v1.14.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128463, "scanner": "repobility-supply-chain", "fingerprint": "08e6501c5b83e2b885029690b8a8aba2c10716cdb9e707b1cc6514539532c932", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08e6501c5b83e2b885029690b8a8aba2c10716cdb9e707b1cc6514539532c932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 518}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ariga/atlas-action/migrate/push` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/push@v1.14.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128462, "scanner": "repobility-supply-chain", "fingerprint": "515aab6634486d2835acb7969fbcaef927fdf339abe9fd15a7296c4b8fccd362", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|515aab6634486d2835acb7969fbcaef927fdf339abe9fd15a7296c4b8fccd362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 510}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ariga/atlas-action/migrate/lint` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/lint@v1.14.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128461, "scanner": "repobility-supply-chain", "fingerprint": "026cbb835b017d27cf26dc13e686999551c0b367d885116d0d41408abc084ad3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|026cbb835b017d27cf26dc13e686999551c0b367d885116d0d41408abc084ad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ariga/atlas-action/migrate/lint` pinned to mutable ref `@v1.14.5`: `uses: ariga/atlas-action/migrate/lint@v1.14.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128460, "scanner": "repobility-supply-chain", "fingerprint": "89657ff9f7d9721acdd61291f487200a486c0c66e74925020220411b30e28caa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89657ff9f7d9721acdd61291f487200a486c0c66e74925020220411b30e28caa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 442}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128459, "scanner": "repobility-supply-chain", "fingerprint": "b3d2567d1c21836011fc2c2766f4d8faf3fcc2b6157245c9ed2e50a48f6d6f1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3d2567d1c21836011fc2c2766f4d8faf3fcc2b6157245c9ed2e50a48f6d6f1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `react-datepicker.css` pulled from URL/Git: `dependencies.react-datepicker.css` = `link:react-datepicker/dist/react-datepicker.css` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 128458, "scanner": "repobility-supply-chain", "fingerprint": "ee86639b671a22e1c1f300a7f28911133aad4a672d29e3d1d4cd7935e71da5a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee86639b671a22e1c1f300a7f28911133aad4a672d29e3d1d4cd7935e71da5a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/openai-apps-sdk/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `mapbox-gl.css` pulled from URL/Git: `dependencies.mapbox-gl.css` = `link:mapbox-gl/dist/mapbox-gl.css` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 128457, "scanner": "repobility-supply-chain", "fingerprint": "eb559185b3df4009b1b0726654c5e5fa1f26506d89f8aad8f87f46cf9fba40af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb559185b3df4009b1b0726654c5e5fa1f26506d89f8aad8f87f46cf9fba40af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/openai-apps-sdk/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@gram/client` pulled from URL/Git: `dependencies.@gram/client` = `file:..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 128456, "scanner": "repobility-supply-chain", "fingerprint": "ba241ca095d9ef246c583a7672d1cafbf10bcb0090e39c117367e646e666c273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba241ca095d9ef246c583a7672d1cafbf10bcb0090e39c117367e646e666c273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/sdk/examples/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 128428, "scanner": "repobility-threat-engine", "fingerprint": "60ceba90f1095c57c4f23ac6b7eff608f9cbd5f696cd9a7163a5ee222ccd7b7e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((ext) => `.${ext}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60ceba90f1095c57c4f23ac6b7eff608f9cbd5f696cd9a7163a5ee222ccd7b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/upload.tsx"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128414, "scanner": "repobility-threat-engine", "fingerprint": "964705edd81b13771013fb0d54c8bef9533fc92527c57a08f8411c2b1039a529", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|964705edd81b13771013fb0d54c8bef9533fc92527c57a08f8411c2b1039a529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/observe/useDateRangeFilter.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128413, "scanner": "repobility-threat-engine", "fingerprint": "b3c7a810cd66d84710ff7ac7a84db12065d928fbcb31b3426f99d5d686b7a185", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "form.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3c7a810cd66d84710ff7ac7a84db12065d928fbcb31b3426f99d5d686b7a185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/mcp_install_page/config_form.tsx"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128412, "scanner": "repobility-threat-engine", "fingerprint": "3c20a8c90bb13a8f62ab493e401542088b4bc13e39972ceef3da944e491aaaf5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "inFlightSubmissions.delete(storedRequestToken);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c20a8c90bb13a8f62ab493e401542088b4bc13e39972ceef3da944e491aaaf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard/src/components/access/ShadowMCPRequestAccessContent.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 128400, "scanner": "repobility-threat-engine", "fingerprint": "92b2c46078c8c80414b97ca89a769ecbdd51c715608072406c7598d82bfefb21", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92b2c46078c8c80414b97ca89a769ecbdd51c715608072406c7598d82bfefb21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/mcp/claude_cli.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 128399, "scanner": "repobility-threat-engine", "fingerprint": "56c7b695eb0687ade2e30ed7160ca759ce33167410a83bcff2527f90c9b000c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56c7b695eb0687ade2e30ed7160ca759ce33167410a83bcff2527f90c9b000c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/auth/dispatcher.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 128398, "scanner": "repobility-threat-engine", "fingerprint": "3123e81686ad4e5f5289a69e54389967b86a90364e363c19813553fa0ead0ee0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3123e81686ad4e5f5289a69e54389967b86a90364e363c19813553fa0ead0ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/stage.go"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128390, "scanner": "repobility-threat-engine", "fingerprint": "2b198a1fd3cab396fcee7bfa8dd793bc99c8bd0edfd320904d9aa97c3a878a58", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b198a1fd3cab396fcee7bfa8dd793bc99c8bd0edfd320904d9aa97c3a878a58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/install.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128389, "scanner": "repobility-threat-engine", "fingerprint": "189d2c9b7e8e8b6b65c3c45bfc5b4362e91e98700682922f5015e066012938ea", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|189d2c9b7e8e8b6b65c3c45bfc5b4362e91e98700682922f5015e066012938ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/app/auth.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128388, "scanner": "repobility-threat-engine", "fingerprint": "5c0be03a8a2ce86e25515a7c8d343597d8d116e5030e59e176fa453cc9e3cfe4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c0be03a8a2ce86e25515a7c8d343597d8d116e5030e59e176fa453cc9e3cfe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/internal/api/keys.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC126", "level": "error", "message": {"text": "[SEC126] LLM prompt leakage in code comments (Generate me a function that...): The author's prompt to an LLM (or the LLM's preamble) was committed as a code comment. This leaks the threat model, the AI tooling in use, and often the original system-prompt fragments \u2014 useful to attackers profiling the codebase. Also a strong signal the code below was not reviewed by a human. CWE-540 (information exposure through source comments)."}, "properties": {"repobilityId": 128383, "scanner": "repobility-threat-engine", "fingerprint": "19ff38ae441f3aef13a08bcb225137615287949fb8e2c31b5db9d789b05d9fb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "# Prompt-injection risk report\",", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC126", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19ff38ae441f3aef13a08bcb225137615287949fb8e2c31b5db9d789b05d9fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/risk-metrics-comment.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GRAM_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRAM_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128487, "scanner": "repobility-supply-chain", "fingerprint": "2ed27911592156af4782201d2f9117306c63072e6c3ebbb0bc51f26982fc5321", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ed27911592156af4782201d2f9117306c63072e6c3ebbb0bc51f26982fc5321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1773}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SVIX_SYNC_KEY_US_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SVIX_SYNC_KEY_US_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128486, "scanner": "repobility-supply-chain", "fingerprint": "50a43ed67bce5bcfb459d5c8f8c7c285578efc2e55fea6ac535a91be1ffb6354", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50a43ed67bce5bcfb459d5c8f8c7c285578efc2e55fea6ac535a91be1ffb6354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1760}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SVIX_SYNC_KEY_US_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SVIX_SYNC_KEY_US_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128485, "scanner": "repobility-supply-chain", "fingerprint": "9bdfb6edad22039f91e8835430e6258aa7525f34a264364234cdc688ca614545", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9bdfb6edad22039f91e8835430e6258aa7525f34a264364234cdc688ca614545"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1754}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128484, "scanner": "repobility-supply-chain", "fingerprint": "1034c70a2edb4b1b2c23bab718de6f07976c6417ec93b7241eefd16fd886d600", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1034c70a2edb4b1b2c23bab718de6f07976c6417ec93b7241eefd16fd886d600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1480}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128483, "scanner": "repobility-supply-chain", "fingerprint": "e0c5ab425302e04c4a6c71cab97fc4d4667feab44ad35064b45e81e04117c44a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0c5ab425302e04c4a6c71cab97fc4d4667feab44ad35064b45e81e04117c44a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1471}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_ORG_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_ORG_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128482, "scanner": "repobility-supply-chain", "fingerprint": "4bab998f78b0fc11c725314f65a0f89aab67ff996779adf046244f211f81f2bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bab998f78b0fc11c725314f65a0f89aab67ff996779adf046244f211f81f2bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1431}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128481, "scanner": "repobility-supply-chain", "fingerprint": "2f87f93032be89e97a1428c958f1453e42043cc3e43f544e32c13c0a5a80e267", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f87f93032be89e97a1428c958f1453e42043cc3e43f544e32c13c0a5a80e267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1427}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_ORG_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_ORG_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128480, "scanner": "repobility-supply-chain", "fingerprint": "0c913aaf6848fe1f293ae08173bd585ba092c43e3a7d08a1deee4b5d8289194a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c913aaf6848fe1f293ae08173bd585ba092c43e3a7d08a1deee4b5d8289194a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1418}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128479, "scanner": "repobility-supply-chain", "fingerprint": "9030e9d14a2be0e850009831df3444b39e6ab61003e418b3b8975262f421c9cd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9030e9d14a2be0e850009831df3444b39e6ab61003e418b3b8975262f421c9cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1414}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MELANGE_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MELANGE_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128478, "scanner": "repobility-supply-chain", "fingerprint": "328523dd1736ef1da1de8c651f82f0d3208e83285f89ab073e1eb07f1a265541", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|328523dd1736ef1da1de8c651f82f0d3208e83285f89ab073e1eb07f1a265541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1318}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SPEAKEASY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SPEAKEASY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128477, "scanner": "repobility-supply-chain", "fingerprint": "57697b848375cb00b3a20dfa0d91dbd90a15636cec05fb6cbdffedb494c5d33a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57697b848375cb00b3a20dfa0d91dbd90a15636cec05fb6cbdffedb494c5d33a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1156}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BOT_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BOT_REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128476, "scanner": "repobility-supply-chain", "fingerprint": "dc8aa6848f5741fc95432178762fd716fc8544bd4c38c332c4f148ce23ff7467", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc8aa6848f5741fc95432178762fd716fc8544bd4c38c332c4f148ce23ff7467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1090}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DATADOG_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DATADOG_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128475, "scanner": "repobility-supply-chain", "fingerprint": "3bbbe1b36e22659253142112033df0bd9ebfb2f5fb5b87c6332faa741c331d54", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bbbe1b36e22659253142112033df0bd9ebfb2f5fb5b87c6332faa741c331d54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 1052}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ATLAS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ATLAS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128474, "scanner": "repobility-supply-chain", "fingerprint": "123db298b49033a7095e767b8eda0259a6eaedb70cd0cb38c6e2a699e8f472ed", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|123db298b49033a7095e767b8eda0259a6eaedb70cd0cb38c6e2a699e8f472ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 664}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ATLAS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ATLAS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128473, "scanner": "repobility-supply-chain", "fingerprint": "dfe096b933074738d61d1472d10844247356ed955dd370bf4244b2ebff206357", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfe096b933074738d61d1472d10844247356ed955dd370bf4244b2ebff206357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 496}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ATLAS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ATLAS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128472, "scanner": "repobility-supply-chain", "fingerprint": "b73e41b4f8e0627b28b36927dd160d09ed8e88ad600602f1a0e97893e5c10148", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b73e41b4f8e0627b28b36927dd160d09ed8e88ad600602f1a0e97893e5c10148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128471, "scanner": "repobility-supply-chain", "fingerprint": "e9ea72259dba6967834b4357c3346ce97d0081bcb3a26a57807471feb70f8da8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9ea72259dba6967834b4357c3346ce97d0081bcb3a26a57807471feb70f8da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 373}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128470, "scanner": "repobility-supply-chain", "fingerprint": "2a22073105cf05cbac8643a55412b1c61aecee2dfe839fae1ba338ed605acad5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a22073105cf05cbac8643a55412b1c61aecee2dfe839fae1ba338ed605acad5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_ORG_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_ORG_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128469, "scanner": "repobility-supply-chain", "fingerprint": "5a87da2e5a9b832844b991532834956d33ab0e4a7930776faf1d5a44c5bf57f9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a87da2e5a9b832844b991532834956d33ab0e4a7930776faf1d5a44c5bf57f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_PROD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_PROD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128468, "scanner": "repobility-supply-chain", "fingerprint": "4f2dfb483fc5c156a39d9e63f9f8903d475e6ca7e882d95708a23b76d416c316", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f2dfb483fc5c156a39d9e63f9f8903d475e6ca7e882d95708a23b76d416c316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_ORG_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_ORG_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128467, "scanner": "repobility-supply-chain", "fingerprint": "a562fceed2f929ca1b933cc8fbbce3b3d5d36993250a3f45ed848c7c61a07e6b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a562fceed2f929ca1b933cc8fbbce3b3d5d36993250a3f45ed848c7c61a07e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128466, "scanner": "repobility-supply-chain", "fingerprint": "05a6e37d1ac2323e1198b68be67f250124f6579f831f5a75bd15f333782b650a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05a6e37d1ac2323e1198b68be67f250124f6579f831f5a75bd15f333782b650a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BOT_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BOT_REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128465, "scanner": "repobility-supply-chain", "fingerprint": "d6f9aae007c1f7293314e5c3dae23229848d04a921b6451ac56643bf635813a4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6f9aae007c1f7293314e5c3dae23229848d04a921b6451ac56643bf635813a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BOT_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BOT_REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128464, "scanner": "repobility-supply-chain", "fingerprint": "c8ba781af7abf040dcf804d88a003af76bc33f565feffc36dd4ab5e038bcf8dc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8ba781af7abf040dcf804d88a003af76bc33f565feffc36dd4ab5e038bcf8dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 216}}}]}]}]}