{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED002", "name": "[MINED002] Dart Null Bang (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED002] Dart Null Bang (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED005] Lua Loadstring (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 97 more): Same pattern found in 97 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 97 more): Same pattern found in 97 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 36 more): Same pattern found in 36 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED070", "name": "[MINED070] Zig Undefined Init (and 156 more): Same pattern found in 156 additional files. Review if needed.", "shortDescription": {"text": "[MINED070] Zig Undefined Init (and 156 more): Same pattern found in 156 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 498 more): Same pattern found in 498 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 498 more): Same pattern found in 498 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/flathub-infra/flatpak-github-actions:gnome-47` unpinned: `containe", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/flathub-infra/flatpak-github-actions:gnome-47` unpinned: `container/services image: ghcr.io/flathub-infra/flatpak-github-actions:gnome-47` without `@sha256:...` pulls a mutable tag at wo"}, "fullDescription": {"text": "Replace with `ghcr.io/flathub-infra/flatpak-github-actions:gnome-47@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix", "shortDescription": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made"}, "fullDescription": {"text": "Replace with: `uses: DeterminateSystems/nix-installer-action@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.safe_literal_eval` used but never assigned in __init__: Method `process_patch_entry` of class `PatchSet", "shortDescription": {"text": "[MINED108] `self.safe_literal_eval` used but never assigned in __init__: Method `process_patch_entry` of class `PatchSetExtractor` reads `self.safe_literal_eval`, but no assignment to it exists in __init__ (and no class-level fallback). Thi"}, "fullDescription": {"text": "Initialize `self.safe_literal_eval = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/916"}, "properties": {"repository": "ghostty-org/ghostty", "repoUrl": "https://github.com/ghostty-org/ghostty", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 85958, "scanner": "repobility-docker", "fingerprint": "ff74e228533f1a04cad1dbf2091be9080dd613b7a499647c4c3b187aef794ce6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ff74e228533f1a04cad1dbf2091be9080dd613b7a499647c4c3b187aef794ce6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/build/docker/lib-c-docs/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 85957, "scanner": "repobility-docker", "fingerprint": "cab8003c32b2357a5b1377d1147ccc8fb55bdf7622d692c295b56a51ce5bee53", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "archlinux:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cab8003c32b2357a5b1377d1147ccc8fb55bdf7622d692c295b56a51ce5bee53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/build/docker/lib-c-docs/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 85956, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 85955, "scanner": "repobility-docker", "fingerprint": "5de8d5083687b5220e2c63fee8c0e225ec32a83e6099f022772b8bdddfb1388f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker.io/library/debian:${DISTRO_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5de8d5083687b5220e2c63fee8c0e225ec32a83e6099f022772b8bdddfb1388f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/build/docker/debian/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 85952, "scanner": "repobility-agent-runtime", "fingerprint": "9aeb177878b717ecf58a4a908a4ab068d010b20d12498db2cfad01622b52fd4a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9aeb177878b717ecf58a4a908a4ab068d010b20d12498db2cfad01622b52fd4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tip.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 85951, "scanner": "repobility-agent-runtime", "fingerprint": "519e2b16a6d27f029f08dc6c9dd96ddb380f0d2ad019609c87d587460e67cd0a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|519e2b16a6d27f029f08dc6c9dd96ddb380f0d2ad019609c87d587460e67cd0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tag.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3bbc4ff17ce5ba368d18b46a1f444583124af4d8a6bc502727ab582923420f2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Helpers/Backport.swift", "duplicate_line": 62, "correlation_key": "fp|3bbc4ff17ce5ba368d18b46a1f444583124af4d8a6bc502727ab582923420f2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Helpers/Cursor.swift"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46cfacbd0bfe6dfcdca3b4b6d24f9a6899400077ae6359c9ecf066fed33c4826", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/AppDelegate+AppleScript.swift", "duplicate_line": 84, "correlation_key": "fp|46cfacbd0bfe6dfcdca3b4b6d24f9a6899400077ae6359c9ecf066fed33c4826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptTerminal.swift"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d9389844d83bfb1f1c4e13eb0177063fa5588d0f02fad61508a880ba2f0bba6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptInputTextCommand.swift", "duplicate_line": 10, "correlation_key": "fp|0d9389844d83bfb1f1c4e13eb0177063fa5588d0f02fad61508a880ba2f0bba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptMouseScrollCommand.swift"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c3ccc6d776d1c1cb04503dca64b40c53e1057ea406ba7d3ed86d41fbb5baed5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptKeyEventCommand.swift", "duplicate_line": 41, "correlation_key": "fp|1c3ccc6d776d1c1cb04503dca64b40c53e1057ea406ba7d3ed86d41fbb5baed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptMousePosCommand.swift"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd363af78623878b85586cb7c5dbc89cfc33350bf060c8d6695d2dfafd94d328", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptInputTextCommand.swift", "duplicate_line": 10, "correlation_key": "fp|dd363af78623878b85586cb7c5dbc89cfc33350bf060c8d6695d2dfafd94d328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptMousePosCommand.swift"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8db255fd83d1e8c30b6e544d76c6fc3170808a236ef87c220a7249a58c294b40", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptKeyEventCommand.swift", "duplicate_line": 33, "correlation_key": "fp|8db255fd83d1e8c30b6e544d76c6fc3170808a236ef87c220a7249a58c294b40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptMouseButtonCommand.swift"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd63e1a4ecff16dd5f3c14dfa4e52d32f36a9c8586f5c754499679f84ab2e340", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptInputTextCommand.swift", "duplicate_line": 10, "correlation_key": "fp|cd63e1a4ecff16dd5f3c14dfa4e52d32f36a9c8586f5c754499679f84ab2e340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptMouseButtonCommand.swift"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d18598c4dc03d9c830e180bc752f1c4949efd8eae67d9cef4d2c81dd73bab5a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/AppleScript/ScriptInputTextCommand.swift", "duplicate_line": 10, "correlation_key": "fp|2d18598c4dc03d9c830e180bc752f1c4949efd8eae67d9cef4d2c81dd73bab5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/AppleScript/ScriptKeyEventCommand.swift"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d74e373aaf0bdcf41e514735afef055e88cb93e59e023b594a38c9ba3168964e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "macos/Sources/Features/App Intents/CloseTerminalIntent.swift", "duplicate_line": 10, "correlation_key": "fp|d74e373aaf0bdcf41e514735afef055e88cb93e59e023b594a38c9ba3168964e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/App Intents/FocusTerminalIntent.swift"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 85941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6069b1ec53cf974ec6e25b94b13d24116a19565dae3d82ce5bcc320c773215fd", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "dist", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6069b1ec53cf974ec6e25b94b13d24116a19565dae3d82ce5bcc320c773215fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 85892, "scanner": "repobility-threat-engine", "fingerprint": "d09f2ed0d52472afaeb20361e8e82673e9c19381fda284388a994b7609f6c60b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = gpa.deinit(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d09f2ed0d52472afaeb20361e8e82673e9c19381fda284388a994b7609f6c60b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/zig-vt/src/main.zig"}, "region": {"startLine": 8}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 85891, "scanner": "repobility-threat-engine", "fingerprint": "bb98ea05c256b4148c5d05d2f02af6344a65234741e7241e6dd21738112ead21", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = gpa.deinit(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb98ea05c256b4148c5d05d2f02af6344a65234741e7241e6dd21738112ead21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/zig-vt-stream/src/main.zig"}, "region": {"startLine": 6}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 85890, "scanner": "repobility-threat-engine", "fingerprint": "caf1d0e1c61e8133e570c3091fbca63f4eede47a97c0c4b200c1c439fc2d4c9b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = gpa.deinit(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|caf1d0e1c61e8133e570c3091fbca63f4eede47a97c0c4b200c1c439fc2d4c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/zig-formatter/src/main.zig"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85953, "scanner": "repobility-docker", "fingerprint": "71ad13bdb86194b1cff3ef09d30612e5a090571e5a66b2bef465bcaa005a114a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.io/library/debian:${DISTRO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|71ad13bdb86194b1cff3ef09d30612e5a090571e5a66b2bef465bcaa005a114a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/build/docker/debian/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 85939, "scanner": "repobility-threat-engine", "fingerprint": "3df73b0440ffba96bb46b2c4c125ae132491f82beefd8dca9f164add2615d115", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3df73b0440ffba96bb46b2c4c125ae132491f82beefd8dca9f164add2615d115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/ipc.zig"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 85938, "scanner": "repobility-threat-engine", "fingerprint": "aa4cab7e868991db0188b3bab0fd6f6f181c39d5dc912c7bcf7b82d1691e6956", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa4cab7e868991db0188b3bab0fd6f6f181c39d5dc912c7bcf7b82d1691e6956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/portal.zig"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 85937, "scanner": "repobility-threat-engine", "fingerprint": "d3ece2af9a3dc0281c58239fda92dbbc1ac087f289cf425be27742dd458b53f3", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Print(alloc, \"{s}/test\", .{build_config.bundle_id})", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/os/macos.zig|17|print alloc s /test . build_config.bundle_id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/os/macos.zig"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 85936, "scanner": "repobility-threat-engine", "fingerprint": "b31ce9536f7b09b20879615fbd3c1bc9cf5b8be998cfa37d529860cefdd12e04", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(\"Ghostty {s}\\n\\n\", .{build_config.version_string})", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/cli/version.zig|3|print ghostty s n n . build_config.version_string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/version.zig"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED011", "level": "none", "message": {"text": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 85934, "scanner": "repobility-threat-engine", "fingerprint": "8e59bb7c8bf2f101e8a261ecab0f74ec0a26fc641020d7a93b1a7754a2b46300", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8e59bb7c8bf2f101e8a261ecab0f74ec0a26fc641020d7a93b1a7754a2b46300", "aggregated_count": 2}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 85930, "scanner": "repobility-threat-engine", "fingerprint": "647d21140dcabf5c5f0d9275451adb0aa3bf8b2d6c1a8d8de202d8b34c8578f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|647d21140dcabf5c5f0d9275451adb0aa3bf8b2d6c1a8d8de202d8b34c8578f1", "aggregated_count": 9}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 85929, "scanner": "repobility-threat-engine", "fingerprint": "9caa460512b8cf5063474d37d3edc5394cfc04812bb1918ad5d56c893b5112b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9caa460512b8cf5063474d37d3edc5394cfc04812bb1918ad5d56c893b5112b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config/command.zig"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 85928, "scanner": "repobility-threat-engine", "fingerprint": "a8fffb101ce3735a3966155f5a22b9093a24f2e348cdfc3b1175e6d129a59e06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8fffb101ce3735a3966155f5a22b9093a24f2e348cdfc3b1175e6d129a59e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/portal.zig"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 85927, "scanner": "repobility-threat-engine", "fingerprint": "76ff82af97c77f013a1474a434b16fa2f5889b4023661289a2972365bdd72b13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76ff82af97c77f013a1474a434b16fa2f5889b4023661289a2972365bdd72b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/wuffs/src/swizzle.zig"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED002", "level": "none", "message": {"text": "[MINED002] Dart Null Bang (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 85926, "scanner": "repobility-threat-engine", "fingerprint": "cb086e31e4ee81c1fbdbb7fc81c6dc554a49f9ff605238935abbf7d65884ddde", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cb086e31e4ee81c1fbdbb7fc81c6dc554a49f9ff605238935abbf7d65884ddde", "aggregated_count": 9}}}, {"ruleId": "MINED005", "level": "none", "message": {"text": "[MINED005] Lua Loadstring (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 85922, "scanner": "repobility-threat-engine", "fingerprint": "0c4eb659fe1fdee35e1a873a840ae8ef49e90879c7a7d054382382914f587331", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c4eb659fe1fdee35e1a873a840ae8ef49e90879c7a7d054382382914f587331", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85918, "scanner": "repobility-threat-engine", "fingerprint": "1da708584abb405bd45cc6a3f949d9ca6efcb7f5a0cdaa984ecf772f5dd7b48d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1da708584abb405bd45cc6a3f949d9ca6efcb7f5a0cdaa984ecf772f5dd7b48d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extra/sublime.zig"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85917, "scanner": "repobility-threat-engine", "fingerprint": "e49bc8682d113585fdb63b98fca1917fd0e1d3c76dd3e153d73904d251250f1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e49bc8682d113585fdb63b98fca1917fd0e1d3c76dd3e153d73904d251250f1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/macos/foundation/url.zig"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 85916, "scanner": "repobility-threat-engine", "fingerprint": "58fbcc5871cede51356fdc6cdfef86c7aa594b8ddd38ed51af4b44a59b438305", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58fbcc5871cede51356fdc6cdfef86c7aa594b8ddd38ed51af4b44a59b438305", "aggregated_count": 24}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85915, "scanner": "repobility-threat-engine", "fingerprint": "3e776fb949d364b96d8ee85eaa48a5f5bb7d58949a48e8f18ec03f4d573d3143", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e776fb949d364b96d8ee85eaa48a5f5bb7d58949a48e8f18ec03f4d573d3143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/glslang/shader.zig"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85914, "scanner": "repobility-threat-engine", "fingerprint": "8d7c52eb854ddc09bc89babe208976877c27cf4fdee44ad686cfd805b3860fda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d7c52eb854ddc09bc89babe208976877c27cf4fdee44ad686cfd805b3860fda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/glslang/program.zig"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85913, "scanner": "repobility-threat-engine", "fingerprint": "fc06ce46f1c1493a0eca0f093ce744d99d6f6fdb3a3b7b9cd746f9251bc0dbe3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc06ce46f1c1493a0eca0f093ce744d99d6f6fdb3a3b7b9cd746f9251bc0dbe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/freetype/Library.zig"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 97 more): Same pattern found in 97 additional files. Review if needed."}, "properties": {"repobilityId": 85912, "scanner": "repobility-threat-engine", "fingerprint": "111fc8dc16edd7b4baa3055ad097f4cb1e1a85ee59fd32de863236f0a15c068a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 97 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|111fc8dc16edd7b4baa3055ad097f4cb1e1a85ee59fd32de863236f0a15c068a", "aggregated_count": 97}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 85911, "scanner": "repobility-threat-engine", "fingerprint": "69beb7dbfe257e1f792c6bc2f1e59594c4376be0c32225619197e8cf0333b615", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69beb7dbfe257e1f792c6bc2f1e59594c4376be0c32225619197e8cf0333b615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/lang_set.zig"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 85910, "scanner": "repobility-threat-engine", "fingerprint": "78dd32e1c17a45b28356e742c6c36b3e1e7f30fe08d61aa5cfb5202297604fd4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78dd32e1c17a45b28356e742c6c36b3e1e7f30fe08d61aa5cfb5202297604fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/init.zig"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 85909, "scanner": "repobility-threat-engine", "fingerprint": "dbf980f30db4a4ad7fda467d711185cd171d647d4083ed535c8f24eed6e3b90b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbf980f30db4a4ad7fda467d711185cd171d647d4083ed535c8f24eed6e3b90b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/char_set.zig"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 85907, "scanner": "repobility-threat-engine", "fingerprint": "9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "aggregated_count": 4}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 85906, "scanner": "repobility-threat-engine", "fingerprint": "d32f3a75fbda64ebfe23210fdbbcc7a3328b4130828924b6020650e24a40efad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d32f3a75fbda64ebfe23210fdbbcc7a3328b4130828924b6020650e24a40efad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/ext/slice.zig"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 85905, "scanner": "repobility-threat-engine", "fingerprint": "31423fd4bb9bb47a6e9d1d08753c94bf07fc00d54f8432b0ca50abc826a2524d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31423fd4bb9bb47a6e9d1d08753c94bf07fc00d54f8432b0ca50abc826a2524d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/build.zig"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 85904, "scanner": "repobility-threat-engine", "fingerprint": "44477e635ba1e4f67a6023a596c46052cafb49912b93e0ccf54fc76cb20bc4d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44477e635ba1e4f67a6023a596c46052cafb49912b93e0ccf54fc76cb20bc4d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/afl++/build.zig"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 85901, "scanner": "repobility-threat-engine", "fingerprint": "4df65e8730925905a54111dd8a78df95327542aa56f70f3455ac389c7201c2cf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4df65e8730925905a54111dd8a78df95327542aa56f70f3455ac389c7201c2cf"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 85897, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 85893, "scanner": "repobility-threat-engine", "fingerprint": "9ec2ec848f2c08c872b515b13f0457816fec254874cfc2493155a55c11d9e05c", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9ec2ec848f2c08c872b515b13f0457816fec254874cfc2493155a55c11d9e05c"}}}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init (and 156 more): Same pattern found in 156 additional files. Review if needed."}, "properties": {"repobilityId": 85889, "scanner": "repobility-threat-engine", "fingerprint": "fdf5974da044fad683872b6f87828dcd357710e1e7da236f099e75d14293489f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 156 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fdf5974da044fad683872b6f87828dcd357710e1e7da236f099e75d14293489f", "aggregated_count": 156}}}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "properties": {"repobilityId": 85888, "scanner": "repobility-threat-engine", "fingerprint": "f252d009400ba147b8b149893659d44331667cc472842601439de069ee60aa49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f252d009400ba147b8b149893659d44331667cc472842601439de069ee60aa49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/config.zig"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "properties": {"repobilityId": 85887, "scanner": "repobility-threat-engine", "fingerprint": "1cbf31dce39da3b303e4103f7f0ac0f81e64954fc5f2df250272c946f1c4f170", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cbf31dce39da3b303e4103f7f0ac0f81e64954fc5f2df250272c946f1c4f170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/common.zig"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "properties": {"repobilityId": 85886, "scanner": "repobility-threat-engine", "fingerprint": "1b95cb01ebfa31fea413eec807583454980fa3c0f5c9e1ba62b105e3cc06f7d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b95cb01ebfa31fea413eec807583454980fa3c0f5c9e1ba62b105e3cc06f7d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/zig-formatter/src/main.zig"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 498 more): Same pattern found in 498 additional files. Review if needed."}, "properties": {"repobilityId": 85885, "scanner": "repobility-threat-engine", "fingerprint": "06bf38d920e84904e8d4ac40ff0d58d57e4f3d64b6ec839e3c0bff59a5a1805d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 498 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|06bf38d920e84904e8d4ac40ff0d58d57e4f3d64b6ec839e3c0bff59a5a1805d", "aggregated_count": 498}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85884, "scanner": "repobility-threat-engine", "fingerprint": "b23887379f56f6ff53205a76cf96c48b47a3aff5cc7014859abc354d0b720ed3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b23887379f56f6ff53205a76cf96c48b47a3aff5cc7014859abc354d0b720ed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/c-vt-effects/build.zig"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85883, "scanner": "repobility-threat-engine", "fingerprint": "1dbae4588b0497947835d9934b9950cf0e2b595658495253a48e4b11879db4b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1dbae4588b0497947835d9934b9950cf0e2b595658495253a48e4b11879db4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/c-vt-colors/build.zig"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85882, "scanner": "repobility-threat-engine", "fingerprint": "563948c44209e975adfa88e46bacc697123615971a986b54a211cc09f6342a4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|563948c44209e975adfa88e46bacc697123615971a986b54a211cc09f6342a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "example/c-vt-build-info/build.zig"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/flathub-infra/flatpak-github-actions:gnome-47` unpinned: `container/services image: ghcr.io/flathub-infra/flatpak-github-actions:gnome-47` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 86002, "scanner": "repobility-supply-chain", "fingerprint": "5ca1371a7495120a70ebe1228b4c84f19015839a4d42e3c19175828da9d4e35f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ca1371a7495120a70ebe1228b4c84f19015839a4d42e3c19175828da9d4e35f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flatpak.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86001, "scanner": "repobility-supply-chain", "fingerprint": "e692b6189fae8aa4a77d71b2e602b1bc2ec28b606d8cfe51c3ad0a6d86712e6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e692b6189fae8aa4a77d71b2e602b1bc2ec28b606d8cfe51c3ad0a6d86712e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tip.yml"}, "region": {"startLine": 857}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86000, "scanner": "repobility-supply-chain", "fingerprint": "bf7e9b7d41d1b31c69a4528ba5408162393d7b996bf608217bee6ebf2c794670", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf7e9b7d41d1b31c69a4528ba5408162393d7b996bf608217bee6ebf2c794670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tip.yml"}, "region": {"startLine": 660}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85999, "scanner": "repobility-supply-chain", "fingerprint": "2f9282c9efcc1fd094628e352ce6b84cd6ad709b12897abf6726e94eee119b03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f9282c9efcc1fd094628e352ce6b84cd6ad709b12897abf6726e94eee119b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tip.yml"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85998, "scanner": "repobility-supply-chain", "fingerprint": "dab888090cfe152a3e58fff67ca60ccae2df7fbc67f2dd0e2db328439ae54d7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dab888090cfe152a3e58fff67ca60ccae2df7fbc67f2dd0e2db328439ae54d7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tip.yml"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85997, "scanner": "repobility-supply-chain", "fingerprint": "3db5fc7dd67f6e72ba960825c1fb3d818709e044db84f6ac2e7d50b22a5f469d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3db5fc7dd67f6e72ba960825c1fb3d818709e044db84f6ac2e7d50b22a5f469d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-tag.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85971, "scanner": "repobility-supply-chain", "fingerprint": "f55a1ece5aeaf40fe1d33dfc735821eb429d5782b934bf5089fc4619fcbb78a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f55a1ece5aeaf40fe1d33dfc735821eb429d5782b934bf5089fc4619fcbb78a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1593}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85970, "scanner": "repobility-supply-chain", "fingerprint": "0e7b639ff3ef5257209278a53d187d349fe827c18d34dd40a09c073d2badb250", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e7b639ff3ef5257209278a53d187d349fe827c18d34dd40a09c073d2badb250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1371}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85969, "scanner": "repobility-supply-chain", "fingerprint": "a5727a84b5633b601c1afc1c65b03dc19594f77b45dcc4a84a26ad85b0b8424b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5727a84b5633b601c1afc1c65b03dc19594f77b45dcc4a84a26ad85b0b8424b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85968, "scanner": "repobility-supply-chain", "fingerprint": "5c55e24073ab75134df3b010985355fb064db52683709946eaabe145f76aa251", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c55e24073ab75134df3b010985355fb064db52683709946eaabe145f76aa251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1071}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85967, "scanner": "repobility-supply-chain", "fingerprint": "554a839861b5bbf7b3d220d33d8695559c1e9e06c5dd41451a38ab877d8fb92f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|554a839861b5bbf7b3d220d33d8695559c1e9e06c5dd41451a38ab877d8fb92f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 639}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85966, "scanner": "repobility-supply-chain", "fingerprint": "aba09e9538aa6d9a8eb056f2dcecfdc5c51644b866fc6654e3edc19f3ec5ab34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aba09e9538aa6d9a8eb056f2dcecfdc5c51644b866fc6654e3edc19f3ec5ab34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.safe_literal_eval` used but never assigned in __init__: Method `process_patch_entry` of class `PatchSetExtractor` reads `self.safe_literal_eval`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85965, "scanner": "repobility-ast-engine", "fingerprint": "b43cc88edbd80a2938fc2af099bb628d0d94991407458538f61435056c87afd5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b43cc88edbd80a2938fc2af099bb628d0d94991407458538f61435056c87afd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.resolve_symbol` used but never assigned in __init__: Method `process_patch_entry` of class `PatchSetExtractor` reads `self.resolve_symbol`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85964, "scanner": "repobility-ast-engine", "fingerprint": "bc6b835b68af74c9277a6070832ad43c58ed935ed401aa2e9dc4d23b2bc841d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc6b835b68af74c9277a6070832ad43c58ed935ed401aa2e9dc4d23b2bc841d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.safe_literal_eval` used but never assigned in __init__: Method `resolve_symbol` of class `PatchSetExtractor` reads `self.safe_literal_eval`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85963, "scanner": "repobility-ast-engine", "fingerprint": "bd66f63cf37652a6306a87558f4ac7f7294f468b08142e8797f1ae4cd2c2efc7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bd66f63cf37652a6306a87558f4ac7f7294f468b08142e8797f1ae4cd2c2efc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.safe_literal_eval` used but never assigned in __init__: Method `resolve_symbol` of class `PatchSetExtractor` reads `self.safe_literal_eval`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85962, "scanner": "repobility-ast-engine", "fingerprint": "6f8ba70fc63aa2a922b85995291916a9351b5b10286a0dfa286b8cd7e7e859cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f8ba70fc63aa2a922b85995291916a9351b5b10286a0dfa286b8cd7e7e859cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.process_patch_entry` used but never assigned in __init__: Method `visit_setup_patch_set` of class `PatchSetExtractor` reads `self.process_patch_entry`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85961, "scanner": "repobility-ast-engine", "fingerprint": "22083d9b9f3a5bb5657f236cbb007cdcdbaa091c7ea79e508a6d58e159848400", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22083d9b9f3a5bb5657f236cbb007cdcdbaa091c7ea79e508a6d58e159848400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.visit_setup_patch_set` used but never assigned in __init__: Method `visit_ClassDef` of class `PatchSetExtractor` reads `self.visit_setup_patch_set`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85960, "scanner": "repobility-ast-engine", "fingerprint": "938ff08c10fb91ff51db736f7018e283cb199c04383d986006b7362f786cb78b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|938ff08c10fb91ff51db736f7018e283cb199c04383d986006b7362f786cb78b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Assign` of class `PatchSetExtractor` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 85959, "scanner": "repobility-ast-engine", "fingerprint": "866bcb5549be23770be2a71476718ca27e7201504c72a1e80fbd1d59993a9fba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|866bcb5549be23770be2a71476718ca27e7201504c72a1e80fbd1d59993a9fba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/font/nerd_font_codegen.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 85954, "scanner": "repobility-docker", "fingerprint": "80336ec94451157fbea7ae2d1879d25dd9a2e0594f97a45310755dac9c66dc84", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|80336ec94451157fbea7ae2d1879d25dd9a2e0594f97a45310755dac9c66dc84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/build/docker/debian/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC005", "level": "error", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 85940, "scanner": "repobility-threat-engine", "fingerprint": "fdcb182277940b5b1f1e95018c3358c515686b6c2e1ec8a9cf5da46aabffc96e", "category": "injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Command source appears controllable (config/plugin/argv/user input)", "evidence": {"match": "Exec(argv", "reason": "Command source appears controllable (config/plugin/argv/user input)", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|injection|src/os/xdg.zig|106|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/os/xdg.zig"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 85935, "scanner": "repobility-threat-engine", "fingerprint": "b448e8cdef0795a8a6b74429360d95a41e7add6dc43d31f1ede16be7971806ea", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "Print(\"{{x:0>{}}}\", .{token_hex_len})", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|src/apprt/gtk/portal.zig|1|print x:0 . token_hex_len"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/portal.zig"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 85933, "scanner": "repobility-threat-engine", "fingerprint": "2ff9f7dd9a916d7e8f4bf29447819854a33e7fe6145010b0a27ed07d79c1c200", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ff9f7dd9a916d7e8f4bf29447819854a33e7fe6145010b0a27ed07d79c1c200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/class/surface_scrolled_window.zig"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 85932, "scanner": "repobility-threat-engine", "fingerprint": "e0c46a297093b2ebe67a446c19a8784bead95535042503f202251b5288c012c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0c46a297093b2ebe67a446c19a8784bead95535042503f202251b5288c012c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/class/inspector_window.zig"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 85931, "scanner": "repobility-threat-engine", "fingerprint": "b5988829350515c161895a7c9e0a6ccc721756686ae5178e20e920e279a85a67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5988829350515c161895a7c9e0a6ccc721756686ae5178e20e920e279a85a67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/class/config.zig"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 85925, "scanner": "repobility-threat-engine", "fingerprint": "42856972328fb86467a588b29c495df875e5b55a96dcf5566d5121fe468c1d51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42856972328fb86467a588b29c495df875e5b55a96dcf5566d5121fe468c1d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config/command.zig"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 85924, "scanner": "repobility-threat-engine", "fingerprint": "50d471be4db8a7bfabbf6497194ab61da677e2edd64de3c84904cf8f7f8abfb4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50d471be4db8a7bfabbf6497194ab61da677e2edd64de3c84904cf8f7f8abfb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apprt/gtk/portal.zig"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 85923, "scanner": "repobility-threat-engine", "fingerprint": "30bc325ab6f8c28c077ebc927e7ec79a4357f0a8aee7a3f82558127f45c3750a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30bc325ab6f8c28c077ebc927e7ec79a4357f0a8aee7a3f82558127f45c3750a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/wuffs/src/swizzle.zig"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85908, "scanner": "repobility-threat-engine", "fingerprint": "9a1809742ac83aabba315f58a778e44b286fdb3d60f605b2516ba04583f65741", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a1809742ac83aabba315f58a778e44b286fdb3d60f605b2516ba04583f65741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/breakpad/build.zig"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 85903, "scanner": "repobility-threat-engine", "fingerprint": "92ca21993a95327455ba70c231c82726b2c8beec7a912f57ac713ff5062200ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92ca21993a95327455ba70c231c82726b2c8beec7a912f57ac713ff5062200ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Helpers/PermissionRequest.swift"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 85902, "scanner": "repobility-threat-engine", "fingerprint": "6d74a7c879295f17607e20f77757093883c59518ec1edce15ed6dee4033bf2af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d74a7c879295f17607e20f77757093883c59518ec1edce15ed6dee4033bf2af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Helpers/Extensions/NSImage+Extension.swift"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85900, "scanner": "repobility-threat-engine", "fingerprint": "0c8118dc6bbaab82fc076080a7a676d3966f8ae68f5425fc9c7142dd9d077410", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "result.fs.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c8118dc6bbaab82fc076080a7a676d3966f8ae68f5425fc9c7142dd9d077410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fontconfig/test.zig"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85899, "scanner": "repobility-threat-engine", "fingerprint": "e5f8ca614f4edf2de6e681426bb77036bf2bc82132313f8125a7dba165dbf8cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "parentMenu.update()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5f8ca614f4edf2de6e681426bb77036bf2bc82132313f8125a7dba165dbf8cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Ghostty/Ghostty.MenuShortcutManager.swift"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85898, "scanner": "repobility-threat-engine", "fingerprint": "912134af1b8dd89e5f49ad1520db8faab9a02e880425ecaf480c17fc5f0054ba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "super.update()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|912134af1b8dd89e5f49ad1520db8faab9a02e880425ecaf480c17fc5f0054ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/Terminal/Window Styles/TransparentTitlebarTerminalWindow.swift"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85896, "scanner": "repobility-threat-engine", "fingerprint": "785b00d06f080678101f6769a6de7e77294f9f95b2f9784a4c95c3f1cdf5def1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|785b00d06f080678101f6769a6de7e77294f9f95b2f9784a4c95c3f1cdf5def1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/Terminal/TerminalView.swift"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85895, "scanner": "repobility-threat-engine", "fingerprint": "25a5a9dec5938a1a9b3c49cccd23ae2360786a77e61d66ad4afb94d3d06cb6ca", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25a5a9dec5938a1a9b3c49cccd23ae2360786a77e61d66ad4afb94d3d06cb6ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/Custom App Icon/AppIcon.swift"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85894, "scanner": "repobility-threat-engine", "fingerprint": "dd0ad29f1d8221bf8e2293548db11c2def8c85141e2d6f7d39026698e49f83f5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd0ad29f1d8221bf8e2293548db11c2def8c85141e2d6f7d39026698e49f83f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macos/Sources/Features/About/AboutView.swift"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85996, "scanner": "repobility-supply-chain", "fingerprint": "17922d4b625bf41bbd0565dec3424546dfdef333a4e84d59bcc2118f3e16a99a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17922d4b625bf41bbd0565dec3424546dfdef333a4e84d59bcc2118f3e16a99a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1377}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85995, "scanner": "repobility-supply-chain", "fingerprint": "e029640bd8756ec89ca8c23984ffdcb1b4130b00cf5ddb307d311f7a62ea960f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e029640bd8756ec89ca8c23984ffdcb1b4130b00cf5ddb307d311f7a62ea960f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1346}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85994, "scanner": "repobility-supply-chain", "fingerprint": "20bcb272eb8c270c0052ee1374feb97f19138e314331ee35c7945ff7a54ff052", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20bcb272eb8c270c0052ee1374feb97f19138e314331ee35c7945ff7a54ff052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1311}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85993, "scanner": "repobility-supply-chain", "fingerprint": "99cfa20ca57302c1d675081201765b0d0c50b7a14097a97a42df3a18dbbd59ae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99cfa20ca57302c1d675081201765b0d0c50b7a14097a97a42df3a18dbbd59ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1263}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85992, "scanner": "repobility-supply-chain", "fingerprint": "ab302e2576d76f9880b30efb8c6d4691691cdaf3972ca02df6d6de2ead6f1b3c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab302e2576d76f9880b30efb8c6d4691691cdaf3972ca02df6d6de2ead6f1b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85991, "scanner": "repobility-supply-chain", "fingerprint": "a8400780cb07215718c3f41803079be02593000a91dc928fd74c6b5fee646c9b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8400780cb07215718c3f41803079be02593000a91dc928fd74c6b5fee646c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1191}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85990, "scanner": "repobility-supply-chain", "fingerprint": "6e18cf69a2ad92433068cf945a6d17776c72ca44729af5dceeb23b667d932adc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e18cf69a2ad92433068cf945a6d17776c72ca44729af5dceeb23b667d932adc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1137}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85989, "scanner": "repobility-supply-chain", "fingerprint": "6e86884303eea3d5714dd85c78dd873234149dcea52fa829a869842b1c773512", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e86884303eea3d5714dd85c78dd873234149dcea52fa829a869842b1c773512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1077}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85988, "scanner": "repobility-supply-chain", "fingerprint": "83d30b6edadcfcab033ed2bf0bf7453b01ba619d990b7a806db8a543a5fdb6c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83d30b6edadcfcab033ed2bf0bf7453b01ba619d990b7a806db8a543a5fdb6c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 1014}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85987, "scanner": "repobility-supply-chain", "fingerprint": "a544581e979e59f68927ab27b320dec6765e96d7d2cf62bb13375885ba4f5dd4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a544581e979e59f68927ab27b320dec6765e96d7d2cf62bb13375885ba4f5dd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 946}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85986, "scanner": "repobility-supply-chain", "fingerprint": "04068f48182c6c4e74c928e0c84e6556459d5a8b6d8d4f7858ed07cd6c64172b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04068f48182c6c4e74c928e0c84e6556459d5a8b6d8d4f7858ed07cd6c64172b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 906}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85985, "scanner": "repobility-supply-chain", "fingerprint": "d3a1f4aa82d02f6324fd3dbe18bed81ddf366ef2df214b6006058184c63fd630", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3a1f4aa82d02f6324fd3dbe18bed81ddf366ef2df214b6006058184c63fd630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 824}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85984, "scanner": "repobility-supply-chain", "fingerprint": "05d2f17143c3e3feb06b1034bbe7c7bfcf96538269671b7fc372669bcb3af447", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05d2f17143c3e3feb06b1034bbe7c7bfcf96538269671b7fc372669bcb3af447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 791}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85983, "scanner": "repobility-supply-chain", "fingerprint": "ed2a7a526c3703975ea1f44d4c4b1f7f52b2751410289162975bfcb46e9a257a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed2a7a526c3703975ea1f44d4c4b1f7f52b2751410289162975bfcb46e9a257a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 762}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85982, "scanner": "repobility-supply-chain", "fingerprint": "53f9c6cf3589c2d35d6e0bc12df13967a2e255e400fe5edd1d6d5a1ffe14a10e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53f9c6cf3589c2d35d6e0bc12df13967a2e255e400fe5edd1d6d5a1ffe14a10e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 685}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85981, "scanner": "repobility-supply-chain", "fingerprint": "68c59ad547f12fd7a9bac2ee460688ad56ba7a3a7799641c9580fa11d050b132", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68c59ad547f12fd7a9bac2ee460688ad56ba7a3a7799641c9580fa11d050b132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 645}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85980, "scanner": "repobility-supply-chain", "fingerprint": "d09068f44051777fe22b8eb0fd14da95897a6a27e84d988ca4ae71331e4603d8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d09068f44051777fe22b8eb0fd14da95897a6a27e84d988ca4ae71331e4603d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 609}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85979, "scanner": "repobility-supply-chain", "fingerprint": "ccf4167f84d02bb0239a08a4c41e7654c0898ffda57a2b1b291c13acd8c29eee", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ccf4167f84d02bb0239a08a4c41e7654c0898ffda57a2b1b291c13acd8c29eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 564}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85978, "scanner": "repobility-supply-chain", "fingerprint": "ed7470848f7b1d04b28c16324447d59217e1d66733d4b55d298b5ba97b102c55", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed7470848f7b1d04b28c16324447d59217e1d66733d4b55d298b5ba97b102c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 530}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85977, "scanner": "repobility-supply-chain", "fingerprint": "f69bf3f84a5585f58e0e574bf92c5361c1c4d6ac1d38d9b4b1725afdffebe97e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f69bf3f84a5585f58e0e574bf92c5361c1c4d6ac1d38d9b4b1725afdffebe97e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 413}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85976, "scanner": "repobility-supply-chain", "fingerprint": "19c9ddf4fc7fc1570c855d8eb6d9e018e9b8d959983b764f2ec2ac5e4d331d94", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19c9ddf4fc7fc1570c855d8eb6d9e018e9b8d959983b764f2ec2ac5e4d331d94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85975, "scanner": "repobility-supply-chain", "fingerprint": "8649c0c145ba81ca5a0fc74040b2f1ad26c1bc1abb2af00a342f90557e4bd698", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8649c0c145ba81ca5a0fc74040b2f1ad26c1bc1abb2af00a342f90557e4bd698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 335}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85974, "scanner": "repobility-supply-chain", "fingerprint": "e08c5296b10c03575283e758f2e8ce55b15c23e874757ff43624fc7184ecc702", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e08c5296b10c03575283e758f2e8ce55b15c23e874757ff43624fc7184ecc702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85973, "scanner": "repobility-supply-chain", "fingerprint": "c32f0d38db616fb73305ef17a6a0b61c95718886edf599bacd355db4b184bd6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c32f0d38db616fb73305ef17a6a0b61c95718886edf599bacd355db4b184bd6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 85972, "scanner": "repobility-supply-chain", "fingerprint": "eb4a4ce048ed6e149cfd20f69bb9c2b1eb22bc905a2fcb256c2b7dd0734f298b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb4a4ce048ed6e149cfd20f69bb9c2b1eb22bc905a2fcb256c2b7dd0734f298b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 85921, "scanner": "repobility-threat-engine", "fingerprint": "aabcec3dbe8a0462085352a4a2bcf0a2393b21aa2ed6e44b9a5764f9cf2b85a8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aabcec3dbe8a0462085352a4a2bcf0a2393b21aa2ed6e44b9a5764f9cf2b85a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/show_config.zig"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 85920, "scanner": "repobility-threat-engine", "fingerprint": "ab068f4a5dc93acc3c12f67111c79eee9c669aa37af5105879bb5bf3172f9926", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab068f4a5dc93acc3c12f67111c79eee9c669aa37af5105879bb5bf3172f9926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/edit_config.zig"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 85919, "scanner": "repobility-threat-engine", "fingerprint": "e2fb28441749427bf0933cfd52504cfa583f0ced0f81a2e9a0f438fd58d0456a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2fb28441749427bf0933cfd52504cfa583f0ced0f81a2e9a0f438fd58d0456a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/opengl/glad.zig"}, "region": {"startLine": 15}}}]}]}]}