{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED088] React Conditional Hook (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `android/gradle/wrapper/gra", "shortDescription": {"text": "[MINED134] Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (45,457 bytes) committed to a repo that otherwise has 933 source files. Trojan binarie"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `jest-fetch-mock` pulled from URL/Git: `devDependencies.jest-fetch-mock` = `github:jefflau/j", "shortDescription": {"text": "[MINED122] package.json dep `jest-fetch-mock` pulled from URL/Git: `devDependencies.jest-fetch-mock` = `github:jefflau/jest-fetch-mock` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL "}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC026", "name": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand exter", "shortDescription": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "fullDescription": {"text": "Nokogiri: pass options to disable network + external entities:\n  Nokogiri::XML(xml) { |c| c.options &= ~Nokogiri::XML::ParseOptions::NONET }\nREXML: avoid; switch to Nokogiri or Ox with hardened options."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_BUILDS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_BUILDS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_BUILDS_WEBHOOK_URL }` lets a PR from any fork"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1152"}, "properties": {"repository": "inaturalist/iNaturalistReactNative", "repoUrl": "https://github.com/inaturalist/iNaturalistReactNative", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 115282, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 115281, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 115276, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 115275, "scanner": "repobility-agent-runtime", "fingerprint": "16a38d43d9e5b94c363a325d5fe669c73dba2e5c31048136d0d6a0be22ced7c2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|16a38d43d9e5b94c363a325d5fe669c73dba2e5c31048136d0d6a0be22ced7c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 115261, "scanner": "repobility-threat-engine", "fingerprint": "0faec6c388ff51103e10f5126f68986b67c00e55e80352e1f7f5f3c2cd536fc0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 100; // Add randomness\n    return exponentialDelay + jitter; // Progressiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0faec6c388ff51103e10f5126f68986b67c00e55e80352e1f7f5f3c2cd536fc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sharedHelpers/logging.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 115242, "scanner": "repobility-threat-engine", "fingerprint": "0e02a906599f7808d12134f46fbe2f9ed0aa719ce6175a041e24c95bd7ff969e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Foo bar\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e02a906599f7808d12134f46fbe2f9ed0aa719ce6175a041e24c95bd7ff969e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Developer/UiLibrary/ObsListItemDemo.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 115280, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 115279, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 115278, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 115277, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "482daca9102b3bc99e66dcf8e6daecf18e99f297e2374df769c17cbd608f03c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/SharedComponents/ActivityAnimation/Confetti.tsx", "duplicate_line": 98, "correlation_key": "fp|482daca9102b3bc99e66dcf8e6daecf18e99f297e2374df769c17cbd608f03c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/SharedComponents/IconicTaxonChooser.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d42694c6c52269a95bd095cdb7f302606411d3a5c93a18ac36d201de7a227fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetailsSharedComponents/ObsDetailsContainer.js", "duplicate_line": 44, "correlation_key": "fp|5d42694c6c52269a95bd095cdb7f302606411d3a5c93a18ac36d201de7a227fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsSharedComponents/hooks/useObsDetailsSharedLogic.ts"}, "region": {"startLine": 321}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39145d4f14d675ed09ac79f19154dbeaec580df1dd82b9928700a9ae9ab61c72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetails/Sheets/AgreeWithIDSheet.js", "duplicate_line": 4, "correlation_key": "fp|39145d4f14d675ed09ac79f19154dbeaec580df1dd82b9928700a9ae9ab61c72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsSharedComponents/Sheets/AgreeWithIDSheet.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dce5f4ddb217111af4730f46496e6b4a538ca8c8886eaa0c1294c75e8d69fd60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetailsDefaultMode/ObsDetailsDefaultMode.tsx", "duplicate_line": 47, "correlation_key": "fp|dce5f4ddb217111af4730f46496e6b4a538ca8c8886eaa0c1294c75e8d69fd60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsSharedComponents/ObsDetailsModeSwitcher.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e654a680264fda6023a0ddb71bf3594b8f2115153e3c8feeacb6be1a84d70019", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetails/ObsDetailsOverview.js", "duplicate_line": 59, "correlation_key": "fp|e654a680264fda6023a0ddb71bf3594b8f2115153e3c8feeacb6be1a84d70019"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsDefaultMode/ObserverDetails.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c16449e80dbe900654caff31687f356d019ed2549c5df96ae826654400259780", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetails/DetailsTab/DetailsTab.js", "duplicate_line": 26, "correlation_key": "fp|c16449e80dbe900654caff31687f356d019ed2549c5df96ae826654400259780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsDefaultMode/MoreSection/ShareButton.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5deac27e7a2101f30356f8cdb891b6732440340650d456c2b576fcee6a31d4fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetails/ObsDetailsOverview.js", "duplicate_line": 82, "correlation_key": "fp|5deac27e7a2101f30356f8cdb891b6732440340650d456c2b576fcee6a31d4fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsDefaultMode/CommunityTaxon.js"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dde7ad60de2fe90a7e5b88246ca5daada38eed16cd2f41263498e9bce59e1470", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ObsDetails/ActivityTab/ActivityTab.js", "duplicate_line": 4, "correlation_key": "fp|dde7ad60de2fe90a7e5b88246ca5daada38eed16cd2f41263498e9bce59e1470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetailsDefaultMode/CommunitySection/CommunitySection.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "accd8148e896d959f0e02628f1009fb8783649d3369f18a929fa658c05a62b70", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/MediaViewer/MediaViewer.js", "duplicate_line": 20, "correlation_key": "fp|accd8148e896d959f0e02628f1009fb8783649d3369f18a929fa658c05a62b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MediaViewer/MediaViewerModal.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6aaeac7560575e6ab262e75e36c881a6b09d81fc0e2e28a21c754fe84dd09b1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/LoginSignUp/LoginForm.tsx", "duplicate_line": 76, "correlation_key": "fp|6aaeac7560575e6ab262e75e36c881a6b09d81fc0e2e28a21c754fe84dd09b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/LoginSignUp/SignUpConfirmationForm.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3587ac827a4427179d45b146900d7142cb98aad97633b875eaffb990c08a415", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Explore/ExploreContainer.js", "duplicate_line": 57, "correlation_key": "fp|e3587ac827a4427179d45b146900d7142cb98aad97633b875eaffb990c08a415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Explore/RootExploreContainer.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d02b7be253f49d65e65d042a66d03e14b4201e03a9600d3570b1525ccc649235", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Explore/IdentifiersView.js", "duplicate_line": 2, "correlation_key": "fp|d02b7be253f49d65e65d042a66d03e14b4201e03a9600d3570b1525ccc649235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Explore/ObserversView.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b443ab8abe82c80b537e4c6c8ee86a09c9e715d06c2833e8b989a64323bd7cf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Explore/Explore.js", "duplicate_line": 117, "correlation_key": "fp|b443ab8abe82c80b537e4c6c8ee86a09c9e715d06c2833e8b989a64323bd7cf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Explore/ExploreV2.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 115230, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 115260, "scanner": "repobility-threat-engine", "fingerprint": "787958a870941ef57d7f281d471c6f5152bb6fcaccef79608289cf68178e430e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|787958a870941ef57d7f281d471c6f5152bb6fcaccef79608289cf68178e430e", "aggregated_count": 1}}}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 115259, "scanner": "repobility-threat-engine", "fingerprint": "8925f385faeb746488a3a2b7498259887aa97b6aab2d8ae17157d630e1253689", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8925f385faeb746488a3a2b7498259887aa97b6aab2d8ae17157d630e1253689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sharedHooks/useInterval.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 115258, "scanner": "repobility-threat-engine", "fingerprint": "eb592da835527595483242b8b3c1c88bf648bbb11d87a2fd1f24ed574a2b5c41", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb592da835527595483242b8b3c1c88bf648bbb11d87a2fd1f24ed574a2b5c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/hooks/useWorkQueue.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 115257, "scanner": "repobility-threat-engine", "fingerprint": "3e95b47bbc63f58cd422492a611fe0b17f1071d8a3dea8c0c2d2158223e2ae8c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e95b47bbc63f58cd422492a611fe0b17f1071d8a3dea8c0c2d2158223e2ae8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsEdit/EvidenceSectionContainer.js"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 115256, "scanner": "repobility-threat-engine", "fingerprint": "f24978ce7076f2c79ac9c853990b4494de39cd80a06d58e1441d17ca76f8b416", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f24978ce7076f2c79ac9c853990b4494de39cd80a06d58e1441d17ca76f8b416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sharedHooks/useSuggestions/useOfflineSuggestions.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 115255, "scanner": "repobility-threat-engine", "fingerprint": "f2b2294a1055c877c65c3cf74dbbf2beb3fe163c95b97935b568717db1563d1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2b2294a1055c877c65c3cf74dbbf2beb3fe163c95b97935b568717db1563d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetails/helpers/checkCamelAndSnakeCase.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 115254, "scanner": "repobility-threat-engine", "fingerprint": "307f5bf7e7178f9b3cb206856f1d204cf3565d4e9865e936199654eee7552d23", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|307f5bf7e7178f9b3cb206856f1d204cf3565d4e9865e936199654eee7552d23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetails/DataQualityAssessment.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 115252, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 115248, "scanner": "repobility-threat-engine", "fingerprint": "0ddd6bcfa97968d161ac638ba7dc2f33f344c9057b794769ef10dd6efc4a060f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.error( \"Failed to refresh token in mutation after 401:\", refreshError )", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.error failed to refresh token in mutation after 401: refresherror"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sharedHooks/useAuthenticatedMutation.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 115247, "scanner": "repobility-threat-engine", "fingerprint": "513e30ad794a07969105bd171a48f2a67fc2e912919a9412e76677f30973c966", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.error( \"Assertion with Apple token failed\", authenticateUserByAssertionError )", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.error assertion with apple token failed token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/LoginSignUp/loginFormHelpers.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 115246, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 115241, "scanner": "repobility-threat-engine", "fingerprint": "67672509773c3a19d3ea750399f1b5ca4dbc6bdf7c8d8164931ebfe2e4f4cdb8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67672509773c3a19d3ea750399f1b5ca4dbc6bdf7c8d8164931ebfe2e4f4cdb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/reassure-tests.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 115239, "scanner": "repobility-threat-engine", "fingerprint": "6f24ae03479eaf66c5fcfabaaf4635274ba539865e41a1e75746fbba02a1dbd6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6f24ae03479eaf66c5fcfabaaf4635274ba539865e41a1e75746fbba02a1dbd6", "aggregated_count": 32}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 115238, "scanner": "repobility-threat-engine", "fingerprint": "e5e0b5f9e6a00b84fae002a410c573fad869c67366d58039e1f375202ea55ec9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5e0b5f9e6a00b84fae002a410c573fad869c67366d58039e1f375202ea55ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/log/enhanceLoggerWithExtra.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 115237, "scanner": "repobility-threat-engine", "fingerprint": "6c977f21b1e6af3599ea11c596675e127f6cd136a9c51c4808bdfe50fc4aca6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c977f21b1e6af3599ea11c596675e127f6cd136a9c51c4808bdfe50fc4aca6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/error.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 115236, "scanner": "repobility-threat-engine", "fingerprint": "c64cc70d03e2e6d6c347a94c10033ef93ceb468124e240d51cb5f5720150fe69", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c64cc70d03e2e6d6c347a94c10033ef93ceb468124e240d51cb5f5720150fe69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/add-example-model.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 115235, "scanner": "repobility-threat-engine", "fingerprint": "b7c1cb867c749253a0405d07d2ed1d668f15d6f30ebc825c0a4d40956421eeec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7c1cb867c749253a0405d07d2ed1d668f15d6f30ebc825c0a4d40956421eeec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "react-native-logs.config.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 115234, "scanner": "repobility-threat-engine", "fingerprint": "d7c4aed36fcf8742e3f317ea547da7c0a8acc22c2285e75e640f48ef6fe8d9a7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7c4aed36fcf8742e3f317ea547da7c0a8acc22c2285e75e640f48ef6fe8d9a7", "aggregated_count": 14}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 115233, "scanner": "repobility-threat-engine", "fingerprint": "95f253421bde87231926ce4f045256fedb739176e5fe50ed50bf18bc888f2a44", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95f253421bde87231926ce4f045256fedb739176e5fe50ed50bf18bc888f2a44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MyObservations/hooks/useSyncObservations.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 115232, "scanner": "repobility-threat-engine", "fingerprint": "0441ab8508e44af31ab9576814d30d1d0a2867d4d2c3465ff1b128b9b1c11ab8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0441ab8508e44af31ab9576814d30d1d0a2867d4d2c3465ff1b128b9b1c11ab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/log/index.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 115231, "scanner": "repobility-threat-engine", "fingerprint": "15c8a1ae8755e0043181727d1340318797b689bd0b107732053e11855b5da4dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15c8a1ae8755e0043181727d1340318797b689bd0b107732053e11855b5da4dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jest.config.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (45,457 bytes) committed to a repo that otherwise has 933 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 115329, "scanner": "repobility-supply-chain", "fingerprint": "050a423e6569ee3d14ea32b01ca1cf385bdd5cacc70d8a1538b3fe2da5716c7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|050a423e6569ee3d14ea32b01ca1cf385bdd5cacc70d8a1538b3fe2da5716c7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115328, "scanner": "repobility-supply-chain", "fingerprint": "78fd469a351067217688104d2142f2df8f1073f991009120d34df33503661c6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78fd469a351067217688104d2142f2df8f1073f991009120d34df33503661c6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115327, "scanner": "repobility-supply-chain", "fingerprint": "c832381f685bccb896ba740f92b7724ca2edb945f25d42ee14c794d90a9f99fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c832381f685bccb896ba740f92b7724ca2edb945f25d42ee14c794d90a9f99fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115326, "scanner": "repobility-supply-chain", "fingerprint": "62ee5a88c0b1e56ae5b3a07316afa084cf16adf8d282e1f3d9cbcc6e47991225", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62ee5a88c0b1e56ae5b3a07316afa084cf16adf8d282e1f3d9cbcc6e47991225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115325, "scanner": "repobility-supply-chain", "fingerprint": "3da1ebb5f86fc7a95d064265f224cd5a4a7ad9cdd4ff384f1622ce98caf73de1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3da1ebb5f86fc7a95d064265f224cd5a4a7ad9cdd4ff384f1622ce98caf73de1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115324, "scanner": "repobility-supply-chain", "fingerprint": "d18e06ae121e1f30d4287df2d4bd44281c661408e9d2509e620bf878a886087a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d18e06ae121e1f30d4287df2d4bd44281c661408e9d2509e620bf878a886087a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115323, "scanner": "repobility-supply-chain", "fingerprint": "a937d015aa6df0de600eaf2b6ea0af5aa3434d2c9729c78f0074b011d12cca75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a937d015aa6df0de600eaf2b6ea0af5aa3434d2c9729c78f0074b011d12cca75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_android.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `crowdin/github-action` pinned to mutable ref `@v2`: `uses: crowdin/github-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115322, "scanner": "repobility-supply-chain", "fingerprint": "51fbabd69c40364802b1a372fe84dff296fec73289ce179cb30c0f04ba09a6c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51fbabd69c40364802b1a372fe84dff296fec73289ce179cb30c0f04ba09a6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/crowdin-push.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115321, "scanner": "repobility-supply-chain", "fingerprint": "00258267f77805d1ae3b98d65c5556822bd8bf5fdec8fe60c76f52faf1f26893", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00258267f77805d1ae3b98d65c5556822bd8bf5fdec8fe60c76f52faf1f26893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/crowdin-push.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `iRoachie/slack-github-actions` pinned to mutable ref `@v2.3.0`: `uses: iRoachie/slack-github-actions@v2.3.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115306, "scanner": "repobility-supply-chain", "fingerprint": "f0812a4d7b48db0bdb3e2ceb4b5f797a6e8c4927851eea53578ba69530a0f5e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0812a4d7b48db0bdb3e2ceb4b5f797a6e8c4927851eea53578ba69530a0f5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115305, "scanner": "repobility-supply-chain", "fingerprint": "43d7816808cd274b8e4c7823445d6b84c2652c1db76107bb341532510b53e3eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43d7816808cd274b8e4c7823445d6b84c2652c1db76107bb341532510b53e3eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115304, "scanner": "repobility-supply-chain", "fingerprint": "0dc494d50de1f8f6aa1c950c420ceebbbfdcfa3b25f107d77bc77b5259962d31", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dc494d50de1f8f6aa1c950c420ceebbbfdcfa3b25f107d77bc77b5259962d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115303, "scanner": "repobility-supply-chain", "fingerprint": "130a7a931811cd60e7419bbf79b3fa595e5fe3be3feced6d4d3f37796cbbae28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|130a7a931811cd60e7419bbf79b3fa595e5fe3be3feced6d4d3f37796cbbae28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115302, "scanner": "repobility-supply-chain", "fingerprint": "0982caf6af96b1421676841776f478b3a5031a2f665ecfe8b92aeadcffdb1a36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0982caf6af96b1421676841776f478b3a5031a2f665ecfe8b92aeadcffdb1a36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115301, "scanner": "repobility-supply-chain", "fingerprint": "82fbda05c615c79c306e72a180689cf74b62c1c20043bd66e0dd70794e5b8ef1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82fbda05c615c79c306e72a180689cf74b62c1c20043bd66e0dd70794e5b8ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115300, "scanner": "repobility-supply-chain", "fingerprint": "6f24c325150d372c76fbcce3783d03c9d813833284db1d3d8892aaa43a7ee3fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f24c325150d372c76fbcce3783d03c9d813833284db1d3d8892aaa43a7ee3fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115299, "scanner": "repobility-supply-chain", "fingerprint": "6c9b92e3b25a9cc0b34b044da213b5320177d042c2487bbd23f7e2e4504aabb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c9b92e3b25a9cc0b34b044da213b5320177d042c2487bbd23f7e2e4504aabb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115298, "scanner": "repobility-supply-chain", "fingerprint": "40e5a781fba69c0732b9d59dd9a1c07c684d0b3c66e06255689e4c4c37f02494", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40e5a781fba69c0732b9d59dd9a1c07c684d0b3c66e06255689e4c4c37f02494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ruby/setup-ruby` pinned to mutable ref `@v1`: `uses: ruby/setup-ruby@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115297, "scanner": "repobility-supply-chain", "fingerprint": "09d6dea3ab21ba4a564e8c5cb0cacc7e71bbb04ed1605137e44189cb0f4b0fbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09d6dea3ab21ba4a564e8c5cb0cacc7e71bbb04ed1605137e44189cb0f4b0fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115296, "scanner": "repobility-supply-chain", "fingerprint": "9383e32b20e4c771456f74fb1a3e33243c583ebd8722e275f6076c88a51151a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9383e32b20e4c771456f74fb1a3e33243c583ebd8722e275f6076c88a51151a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115295, "scanner": "repobility-supply-chain", "fingerprint": "5e8ebea774fde20f7a7237a01d5197b6af1d98ab5e2f7cfb42de099f09a3f331", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e8ebea774fde20f7a7237a01d5197b6af1d98ab5e2f7cfb42de099f09a3f331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `iRoachie/slack-github-actions` pinned to mutable ref `@v2.3.0`: `uses: iRoachie/slack-github-actions@v2.3.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115293, "scanner": "repobility-supply-chain", "fingerprint": "ebd703d04157444faa57cd85c450b7f4c5c7befa6db83e66c441970e837ce3dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebd703d04157444faa57cd85c450b7f4c5c7befa6db83e66c441970e837ce3dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ruby/setup-ruby` pinned to mutable ref `@v1`: `uses: ruby/setup-ruby@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115292, "scanner": "repobility-supply-chain", "fingerprint": "e7615e15c24cce2ae361eeeeea97af3e8211350552b04a48a2a0fe1008a0dc01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7615e15c24cce2ae361eeeeea97af3e8211350552b04a48a2a0fe1008a0dc01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115291, "scanner": "repobility-supply-chain", "fingerprint": "f9c61b5b536048c312056691fa92c66e36cdf169c4c074b1d954071953e72788", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9c61b5b536048c312056691fa92c66e36cdf169c4c074b1d954071953e72788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115290, "scanner": "repobility-supply-chain", "fingerprint": "f49a62c941724cf44c1486242f08dd5e91a57dcab08989eb178d22aaab0f3190", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f49a62c941724cf44c1486242f08dd5e91a57dcab08989eb178d22aaab0f3190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 115289, "scanner": "repobility-supply-chain", "fingerprint": "4915886263a67c7c2f7f43aad6d3437ac3817d439d466d08180426e70d551f40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4915886263a67c7c2f7f43aad6d3437ac3817d439d466d08180426e70d551f40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `jest-fetch-mock` pulled from URL/Git: `devDependencies.jest-fetch-mock` = `github:jefflau/jest-fetch-mock` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115288, "scanner": "repobility-supply-chain", "fingerprint": "1b443584966f72d8333fde0a20e84a57cccd43fb670cd5a90909c9de135c6715", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b443584966f72d8333fde0a20e84a57cccd43fb670cd5a90909c9de135c6715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `vision-camera-plugin-inatvision` pulled from URL/Git: `dependencies.vision-camera-plugin-inatvision` = `github:inaturalist/vision-camera-plugin-inatvision#5cb51942939f704acbb5d451a444f7aa36268c66` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115287, "scanner": "repobility-supply-chain", "fingerprint": "0249cecf96f1534b699ecdbc45af54550dfc297af875695ca9ba6e32505a64ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0249cecf96f1534b699ecdbc45af54550dfc297af875695ca9ba6e32505a64ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `react-native-share-menu` pulled from URL/Git: `dependencies.react-native-share-menu` = `github:inaturalist/react-native-share-menu#iNaturalistReactNative` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115286, "scanner": "repobility-supply-chain", "fingerprint": "24966234e74166061392f41ee8e049d9c87818981a81d2ae5d2695dd7da24b12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24966234e74166061392f41ee8e049d9c87818981a81d2ae5d2695dd7da24b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `react-native-orientation-locker` pulled from URL/Git: `dependencies.react-native-orientation-locker` = `github:wonday/react-native-orientation-locker` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115285, "scanner": "repobility-supply-chain", "fingerprint": "d33bac086022a68ca8f106754b5e9fb42395c992b462a5c8facf2676e21f881a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d33bac086022a68ca8f106754b5e9fb42395c992b462a5c8facf2676e21f881a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `react-native-mail` pulled from URL/Git: `dependencies.react-native-mail` = `github:chirag04/react-native-mail` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115284, "scanner": "repobility-supply-chain", "fingerprint": "99d5d8a00e824efce9f5d82bd0ec215b6fddcbd787dfc142a28c6cce65a5e1bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99d5d8a00e824efce9f5d82bd0ec215b6fddcbd787dfc142a28c6cce65a5e1bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `inaturalistjs` pulled from URL/Git: `dependencies.inaturalistjs` = `github:inaturalist/inaturalistjs#70d6f5dd639aa10ae3208215ac6eef84825d6d2e` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 115283, "scanner": "repobility-supply-chain", "fingerprint": "af5ca37bb4328f4755ec0d160b984a7da3dcbafdba3e3a7c39c240f2eaa3b274", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af5ca37bb4328f4755ec0d160b984a7da3dcbafdba3e3a7c39c240f2eaa3b274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 115253, "scanner": "repobility-threat-engine", "fingerprint": "a39da42781e31d34418ad6b5777909c3b52884d36e2bb1ee35be7512464ce14a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map( ( uploadUuid: string ) => `'${uploadUuid}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a39da42781e31d34418ad6b5777909c3b52884d36e2bb1ee35be7512464ce14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MyObservations/hooks/useUploadObservations.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115251, "scanner": "repobility-threat-engine", "fingerprint": "a32dba38719b324ca3f1c4bb2722deca8ef80cc160e629e74d78657a55855fad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "realm.create( \"QueueItem\", { id: nextId, payload, type } );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a32dba38719b324ca3f1c4bb2722deca8ef80cc160e629e74d78657a55855fad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/realmModels/QueueItem.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115250, "scanner": "repobility-threat-engine", "fingerprint": "930be8dbf72945697be9620f985dbca75a01a2c12180f932a25c258117dc5ae4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "realm.create( \"User\", updatedUser, \"modified\" );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|930be8dbf72945697be9620f985dbca75a01a2c12180f932a25c258117dc5ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/hooks/useWorkQueue.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115249, "scanner": "repobility-threat-engine", "fingerprint": "c3c04f076829d450c084dd73ce603abce92b39cb833a2921377a3e3ffecadff6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "realm.delete( observation );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3c04f076829d450c084dd73ce603abce92b39cb833a2921377a3e3ffecadff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MyObservations/helpers/syncRemoteDeletedObservations.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115245, "scanner": "repobility-threat-engine", "fingerprint": "392c103d28054c6a709b22f66e0578e44e54873ceb4cfd5f78e4deec93653d76", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL( h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|392c103d28054c6a709b22f66e0578e44e54873ceb4cfd5f78e4deec93653d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/SharedComponents/UserText.tsx"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115244, "scanner": "repobility-threat-engine", "fingerprint": "92405d43d43584fea868e2a1f62407183531693ad601190d7cc256fb117a2604", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url( i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92405d43d43584fea868e2a1f62407183531693ad601190d7cc256fb117a2604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ObsDetails/MasonryLayout.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115243, "scanner": "repobility-threat-engine", "fingerprint": "863cd77b789eac2edf3f9482991e6d4603e9ecc31b378ed142d7fbc4ba6e49f8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url( r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|863cd77b789eac2edf3f9482991e6d4603e9ecc31b378ed142d7fbc4ba6e49f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/FullPageWebView/FullPageWebView.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC026", "level": "error", "message": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "properties": {"repobilityId": 115240, "scanner": "repobility-threat-engine", "fingerprint": "b404e0660b3371a730a87b175293d964b88f64afdeb5ccc1b59e7b2be6e8fa3c", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Nokogiri::XML(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC026", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b404e0660b3371a730a87b175293d964b88f64afdeb5ccc1b59e7b2be6e8fa3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/clean_icon_svgs.rb"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_BUILDS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_BUILDS_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115320, "scanner": "repobility-supply-chain", "fingerprint": "b4449aae7f6c7761ffea2f3f1944a5e0b1c0c6e241e5d5ea7cbb360c7cb27b5d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4449aae7f6c7761ffea2f3f1944a5e0b1c0c6e241e5d5ea7cbb360c7cb27b5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.JWT_ANONYMOUS_API_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.JWT_ANONYMOUS_API_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115319, "scanner": "repobility-supply-chain", "fingerprint": "bcc328fb99e3773c0b257a903cf2371ce8ea9a794bd405c411b831d39c4e18c2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcc328fb99e3773c0b257a903cf2371ce8ea9a794bd405c411b831d39c4e18c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_TEST_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_TEST_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115318, "scanner": "repobility-supply-chain", "fingerprint": "52047da3e4db1a6f4b61961e69248e600eb4fe478cd07f3a9247476da32a22c8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52047da3e4db1a6f4b61961e69248e600eb4fe478cd07f3a9247476da32a22c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_TEST_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_TEST_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115317, "scanner": "repobility-supply-chain", "fingerprint": "4ac70e4e1e58cc4ea44092b493edfe047d81c985ae74b1d501b7bede6f83b8fb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ac70e4e1e58cc4ea44092b493edfe047d81c985ae74b1d501b7bede6f83b8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OAUTH_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OAUTH_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115316, "scanner": "repobility-supply-chain", "fingerprint": "a81b6cfc3274e8d9a70737fd2eb6d48a08bc1cd3834cd299d12cd962bd2b1ee0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a81b6cfc3274e8d9a70737fd2eb6d48a08bc1cd3834cd299d12cd962bd2b1ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OAUTH_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OAUTH_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115315, "scanner": "repobility-supply-chain", "fingerprint": "dc09da0ba89b627b1423e3ba57bb600de5da8041ffc3a661f6416c55084527af", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc09da0ba89b627b1423e3ba57bb600de5da8041ffc3a661f6416c55084527af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.JWT_ANONYMOUS_API_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.JWT_ANONYMOUS_API_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115314, "scanner": "repobility-supply-chain", "fingerprint": "c6d973db26655bb3d6feab3fbe2c8c4fadc6d1ef92f0267ec1c4cb764f9d6a85", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6d973db26655bb3d6feab3fbe2c8c4fadc6d1ef92f0267ec1c4cb764f9d6a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_TEST_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_TEST_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115313, "scanner": "repobility-supply-chain", "fingerprint": "132c25af877f813fb57f8cd41b7a39ec6c56578ec8eb44a67164da319cee9721", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|132c25af877f813fb57f8cd41b7a39ec6c56578ec8eb44a67164da319cee9721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_TEST_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_TEST_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115312, "scanner": "repobility-supply-chain", "fingerprint": "2388b00170c41db886ba1d53cc496cf810b792444de38309674160ae67f3a797", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2388b00170c41db886ba1d53cc496cf810b792444de38309674160ae67f3a797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OAUTH_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OAUTH_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115311, "scanner": "repobility-supply-chain", "fingerprint": "480435e3c5890a9642a8b4bf0889b0fc415d18a1146866daa779436977ebc361", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|480435e3c5890a9642a8b4bf0889b0fc415d18a1146866daa779436977ebc361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OAUTH_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OAUTH_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115310, "scanner": "repobility-supply-chain", "fingerprint": "e088a2605872c6b7a9b8928928a6a5a68de5dbea4849381075f8e3c27cd008a2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e088a2605872c6b7a9b8928928a6a5a68de5dbea4849381075f8e3c27cd008a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FIREBASE_STAGING_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FIREBASE_STAGING_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115309, "scanner": "repobility-supply-chain", "fingerprint": "0a281a138311ed1acd77bd5cf24ead74ad8b50e699171e01b279859dd904640b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a281a138311ed1acd77bd5cf24ead74ad8b50e699171e01b279859dd904640b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FIREBASE_STAGING_GOOGLE_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FIREBASE_STAGING_GOOGLE_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115308, "scanner": "repobility-supply-chain", "fingerprint": "f6e91b523d597631c2871705091ae0d0c573a1df24cd975f85bcc5060f746cf2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6e91b523d597631c2871705091ae0d0c573a1df24cd975f85bcc5060f746cf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OAUTH_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OAUTH_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115307, "scanner": "repobility-supply-chain", "fingerprint": "bb2c1c9ec65ffe00250a3f47a7d2d9344c14643e9967d83fd30724a6b3daad17", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb2c1c9ec65ffe00250a3f47a7d2d9344c14643e9967d83fd30724a6b3daad17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_ios.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_BUILDS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_BUILDS_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 115294, "scanner": "repobility-supply-chain", "fingerprint": "0ef50c90e89dbabc30581204535ae4790513d88894dfa4beaa71f403bcbb7e72", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ef50c90e89dbabc30581204535ae4790513d88894dfa4beaa71f403bcbb7e72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 70}}}]}]}]}