{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 112 more): Same pattern found in 112 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `e", "shortDescription": {"text": "[MINED134] Binary file `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo t"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `posthog-node` pulled from URL/Git: `dependencies.posthog-node` = `file:../../target/posthog", "shortDescription": {"text": "[MINED122] package.json dep `posthog-node` pulled from URL/Git: `dependencies.posthog-node` = `file:../../target/posthog-node.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or gi"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /flags has no auth: Express route POST /flags declared without an auth middleware in its handler", "shortDescription": {"text": "[MINED113] Express POST /flags has no auth: Express route POST /flags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/flags', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1186"}, "properties": {"repository": "PostHog/posthog-js", "repoUrl": "https://github.com/PostHog/posthog-js", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 119247, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 119244, "scanner": "repobility-docker", "fingerprint": "68a97258c39fe5d2195c1c4053ff01d495f5869475f30a9162b128b876ccd24f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|68a97258c39fe5d2195c1c4053ff01d495f5869475f30a9162b128b876ccd24f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 119243, "scanner": "repobility-docker", "fingerprint": "8ea3d24b5c696e08d2c9d2ede60733a191c1d93f089038967d49246ac9f0cd8c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 2 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 2, "correlation_key": "fp|8ea3d24b5c696e08d2c9d2ede60733a191c1d93f089038967d49246ac9f0cd8c", "dependency_install_line": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 119240, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 119221, "scanner": "repobility-threat-engine", "fingerprint": "2787dc8ac64674ddcbd4f73b7ac0cde1430bd212c0a399683d4ad04d00d5e5b3", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://vite.dev\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|playground/vite/src/main.ts|8|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/vite/src/main.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 119217, "scanner": "repobility-threat-engine", "fingerprint": "e6cf38201278afb6bd6d95ffeb9276affad081a77420f113b78e7783cb38f68a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6cf38201278afb6bd6d95ffeb9276affad081a77420f113b78e7783cb38f68a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb/src/replay/canvas/webgl.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 119216, "scanner": "repobility-threat-engine", "fingerprint": "c9865849545597f18fb131c333d8120d1526ce4470cd4d5a11e2d22606dfd971", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n        return null\n      }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9865849545597f18fb131c333d8120d1526ce4470cd4d5a11e2d22606dfd971"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/native-deps.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119214, "scanner": "repobility-threat-engine", "fingerprint": "d29404ed1a2a0dac69537471c581d58ec5e14cd1a800fa998109136a1fe28959", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d29404ed1a2a0dac69537471c581d58ec5e14cd1a800fa998109136a1fe28959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/optional/OptionalAsyncStorage.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119213, "scanner": "repobility-threat-engine", "fingerprint": "432e72d18f312bae9cf4561180727cbdd885f7f440ff728a11a76bfdd9197155", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|432e72d18f312bae9cf4561180727cbdd885f7f440ff728a11a76bfdd9197155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/native-deps.tsx"}, "region": {"startLine": 216}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119212, "scanner": "repobility-threat-engine", "fingerprint": "3bbe259153c4a724a6bc52ae5fad7b1e853080c1b4b019ad9a23bc996f10a953", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3bbe259153c4a724a6bc52ae5fad7b1e853080c1b4b019ad9a23bc996f10a953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/promise-queue.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 119211, "scanner": "repobility-threat-engine", "fingerprint": "7444db991a6c7ed1e4fcbc8e9c2bd0736ab501a3ef5336f4cd6b82fd0ce24dda", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DEBUG = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7444db991a6c7ed1e4fcbc8e9c2bd0736ab501a3ef5336f4cd6b82fd0ce24dda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/nextjs/pages/_app.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 119210, "scanner": "repobility-threat-engine", "fingerprint": "f30c2d77653d3964f8f88a388035672b9ec8cf3fd5721e67a9db40399c6fe888", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f30c2d77653d3964f8f88a388035672b9ec8cf3fd5721e67a9db40399c6fe888"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/gzip.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119178, "scanner": "repobility-threat-engine", "fingerprint": "6dacb0005f3654ad80d4efc500cdde2c812902bbc647218f71a7ce5394021d98", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|26|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/error-tracking/parsers/chrome.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119177, "scanner": "repobility-threat-engine", "fingerprint": "3b2f8e21f83fbd0208f3f682cd723a4a1878f670994d6e2ecccc556552030b9c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|12|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/utils/elements-chain-utils.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119176, "scanner": "repobility-threat-engine", "fingerprint": "8faf3a8c0588a6b3f95705d31a09198fc493034a1e420dc1de90e7b4e0a4fe34", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|8|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/sanitization/base64_recognizer.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 119162, "scanner": "repobility-threat-engine", "fingerprint": "3205558745c94a244985f7e839225d0c7123d5bb78c3e3b9fc04397d362cc564", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3205558745c94a244985f7e839225d0c7123d5bb78c3e3b9fc04397d362cc564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/scripts/generate-docs.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 119161, "scanner": "repobility-threat-engine", "fingerprint": "695612ac54c4067cba03ca4fb434eeaf2693ab9eef18b3728332f4bd33b4f564", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|695612ac54c4067cba03ca4fb434eeaf2693ab9eef18b3728332f4bd33b4f564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/node/scripts/generate-docs.mjs"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 119160, "scanner": "repobility-threat-engine", "fingerprint": "e2f274b59492d6731abdb1134641366e29517bcfafca321018091c3ecc3e763c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'user@example.com'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e2f274b59492d6731abdb1134641366e29517bcfafca321018091c3ecc3e763c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-next-app-router/app/auth/page.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 119251, "scanner": "repobility-web-presence", "fingerprint": "5ac545a73c06d357fe2c4523bb7b7230791d10ffb96235e48e2539b7c8eb5617", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|5ac545a73c06d357fe2c4523bb7b7230791d10ffb96235e48e2539b7c8eb5617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-web/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 119246, "scanner": "repobility-docker", "fingerprint": "08a5002209f3c862aed901def37f35deef8777b0eb0f13f9b379332ed1905df6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sdk-adapter", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|08a5002209f3c862aed901def37f35deef8777b0eb0f13f9b379332ed1905df6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 119245, "scanner": "repobility-docker", "fingerprint": "301b185e9758be95177ae40e4e2a353b96a550f51966f4efb68ae6de00f1f7bd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sdk-adapter", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|301b185e9758be95177ae40e4e2a353b96a550f51966f4efb68ae6de00f1f7bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55dda6cb9c6a53f736fad2b188b264f54207d6bfead5413259ef0b78bf59726d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rrweb/rrdom/src/index.ts", "duplicate_line": 308, "correlation_key": "fp|55dda6cb9c6a53f736fad2b188b264f54207d6bfead5413259ef0b78bf59726d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb-snapshot/src/utils.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "017454591c1d445c33f2df67fcb6d099b6e386a557268ffdd449b02a787fb552", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rrweb/rrweb-snapshot/src/index.ts", "duplicate_line": 1, "correlation_key": "fp|017454591c1d445c33f2df67fcb6d099b6e386a557268ffdd449b02a787fb552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb-snapshot/src/record.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad5f41cdcf0d02ce841c71f740b24d6eb12bee46ffa258248fe1a0fbb4162a29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rrweb/rrdom/src/diff.ts", "duplicate_line": 36, "correlation_key": "fp|ad5f41cdcf0d02ce841c71f740b24d6eb12bee46ffa258248fe1a0fbb4162a29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb-snapshot/src/rebuild.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b31dabd413c4e9bb8ed31af06ce45b59d0e42f0181a581cc17be5d5fa4cff020", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rrweb/rrdom-nodejs/src/document-nodejs.ts", "duplicate_line": 87, "correlation_key": "fp|b31dabd413c4e9bb8ed31af06ce45b59d0e42f0181a581cc17be5d5fa4cff020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrdom/src/index.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9806e58a820848494474584221c1823e7b63ad9ddcc65a5a726a395ca8275841", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rrweb/plugins/rrweb-plugin-console-record/src/index.ts", "duplicate_line": 21, "correlation_key": "fp|9806e58a820848494474584221c1823e7b63ad9ddcc65a5a726a395ca8275841"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/plugins/rrweb-plugin-console-replay/src/index.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73c530e6ca342efb89c8f877a59d958a46d2278691715b561b7e467755dfb1d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/src/extensions/surveys/surveys-extension-utils.tsx", "duplicate_line": 287, "correlation_key": "fp|73c530e6ca342efb89c8f877a59d958a46d2278691715b561b7e467755dfb1d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/surveys/surveys-utils.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4fe4ecc3591f526e970988ffa25170a40af7093154e502921da233dd190695e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/src/utils/survey-branching.ts", "duplicate_line": 32, "correlation_key": "fp|4fe4ecc3591f526e970988ffa25170a40af7093154e502921da233dd190695e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/surveys/surveys-utils.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7c4d9f896134ca10fe3a0955e3a7e05ed2f3122a1c4f7b750605cc52320f794", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/src/extensions/surveys/components/QuestionTypes.tsx", "duplicate_line": 509, "correlation_key": "fp|e7c4d9f896134ca10fe3a0955e3a7e05ed2f3122a1c4f7b750605cc52320f794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/surveys/components/QuestionTypes.tsx"}, "region": {"startLine": 387}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1f197c4aa21a29ee9f12f5acaf54cddb1a8891929b0abec68157916027f9f98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/rslib.config.ts", "duplicate_line": 1, "correlation_key": "fp|d1f197c4aa21a29ee9f12f5acaf54cddb1a8891929b0abec68157916027f9f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-utils/rslib.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9902dae088f9d85f1af3e3a5749d4fed39e82c47e21dc00f1dfa61fdcc80585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/convex/src/client/feature-flags/types.ts", "duplicate_line": 23, "correlation_key": "fp|b9902dae088f9d85f1af3e3a5749d4fed39e82c47e21dc00f1dfa61fdcc80585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/node/src/types.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43d3468535cc444049338080f0f75046be2c762f758484ea68f1a006a9556e44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/src/extensions/sentry-integration.ts", "duplicate_line": 73, "correlation_key": "fp|43d3468535cc444049338080f0f75046be2c762f758484ea68f1a006a9556e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/node/src/extensions/sentry-integration.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4eae6a05d3d5e28cc52374ea67530ebaa5775e0cdaa6e43247226757e9e20c89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/rslib.config.ts", "duplicate_line": 1, "correlation_key": "fp|4eae6a05d3d5e28cc52374ea67530ebaa5775e0cdaa6e43247226757e9e20c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/node/rslib.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87237ea6e0a0d314546cab4becbabfbee8552d4160aeab85e822c78f22f11d4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/rslib.config.ts", "duplicate_line": 1, "correlation_key": "fp|87237ea6e0a0d314546cab4becbabfbee8552d4160aeab85e822c78f22f11d4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/rslib.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "685dd80f38df630db11d378cf78ab88c682f62849abc8139ddc2f1c19a2d1805", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/src/posthog-surveys-types.ts", "duplicate_line": 86, "correlation_key": "fp|685dd80f38df630db11d378cf78ab88c682f62849abc8139ddc2f1c19a2d1805"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types.ts"}, "region": {"startLine": 392}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83742410984de7ec2e91c2ad82f440cacbe7560f7065ca9a01681d69c7cc6e55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/playwright.config.compat.ts", "duplicate_line": 4, "correlation_key": "fp|83742410984de7ec2e91c2ad82f440cacbe7560f7065ca9a01681d69c7cc6e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playwright.config.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7009961e0e44b2d229387506acb6eb1ac3e9cc5bb33edb82dab833518eda4cea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browser/playground/redux-todo-list/src/store.ts", "duplicate_line": 10, "correlation_key": "fp|7009961e0e44b2d229387506acb6eb1ac3e9cc5bb33edb82dab833518eda4cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/redux-todo-list/src/todoLogic.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f4efd9264e4e01b4ea65e95acb93e4e43fee7a212a710f707e21cab7292cce3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/openai/azure.ts", "duplicate_line": 59, "correlation_key": "fp|8f4efd9264e4e01b4ea65e95acb93e4e43fee7a212a710f707e21cab7292cce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/openai/index.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53d7e08d8c0fde809bcfc4d1da7c5495cf39e052459d7bb258d9722df4db2631", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compliance/browser/adapter.js", "duplicate_line": 212, "correlation_key": "fp|53d7e08d8c0fde809bcfc4d1da7c5495cf39e052459d7bb258d9722df4db2631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 119208, "scanner": "repobility-threat-engine", "fingerprint": "ab89163bc596e1ba31149311745bd244d0675b84b9e007fd40027ec0fd5ddb0c", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|36|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb/scripts/repl.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 119207, "scanner": "repobility-threat-engine", "fingerprint": "350332a490d0369d9198045bbb10f0fa4e9e3f83cc203685e7af2e033e79c4e4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|271|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/web-experiments.ts"}, "region": {"startLine": 271}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 119196, "scanner": "repobility-threat-engine", "fingerprint": "ee5b4f62c2e3c54482a0509b85f715a2c9fe63d7f17b5848f432063326495114", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'/issues/?project=' +\n        projectId +\n        '&query='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee5b4f62c2e3c54482a0509b85f715a2c9fe63d7f17b5848f432063326495114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/node/src/extensions/sentry-integration.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 119195, "scanner": "repobility-threat-engine", "fingerprint": "ea312d96ada5bd3824d5d82031edb314bfe35c9e9a3e3a150f637722a69b9847", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.warn(' must be a number. using max or fallback. max: ' + max + '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea312d96ada5bd3824d5d82031edb314bfe35c9e9a3e3a150f637722a69b9847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/number-utils.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 119194, "scanner": "repobility-threat-engine", "fingerprint": "198cfac795bed3ae3bc19a2bb47b10a2b7bab3d800989f14981105f601d093be", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'/issues/?project=' +\n                projectId +\n                '&query='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|198cfac795bed3ae3bc19a2bb47b10a2b7bab3d800989f14981105f601d093be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/sentry-integration.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 119219, "scanner": "repobility-threat-engine", "fingerprint": "4f2df98b1b40519b72fc226ca07a3b5a4e6507ccac9d927fed62df424dd4abc0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f2df98b1b40519b72fc226ca07a3b5a4e6507ccac9d927fed62df424dd4abc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/context/PostHogProvider.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 119215, "scanner": "repobility-threat-engine", "fingerprint": "055b128e54917333871f45ce83794a8adcd0bcced4122364ec765924b53569e5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|055b128e54917333871f45ce83794a8adcd0bcced4122364ec765924b53569e5"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 119209, "scanner": "repobility-threat-engine", "fingerprint": "0ec1a985434354ca2002c8bdff9452dae49826fa5ad2907c3ce8a4e937d74bbd", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0ec1a985434354ca2002c8bdff9452dae49826fa5ad2907c3ce8a4e937d74bbd"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 119204, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 119200, "scanner": "repobility-threat-engine", "fingerprint": "bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 119193, "scanner": "repobility-threat-engine", "fingerprint": "7074ebbbdca963a3640eb9852b7f0bf64dbd4eb61491ef2625c42a5311ed9a04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7074ebbbdca963a3640eb9852b7f0bf64dbd4eb61491ef2625c42a5311ed9a04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/product-tours/components/ProductTourTooltipInner.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 119192, "scanner": "repobility-threat-engine", "fingerprint": "f2f7a3ce725e01fe6b36ce05f8fa3a909648683c7f7d3085a14865396905e962", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2f7a3ce725e01fe6b36ce05f8fa3a909648683c7f7d3085a14865396905e962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/product-tours/components/ProductTourBanner.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 119191, "scanner": "repobility-threat-engine", "fingerprint": "c1ea769a74e4a77fe2e0ec67acba985c88b1dbecd6304fcc26f091d4d19ea324", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c1ea769a74e4a77fe2e0ec67acba985c88b1dbecd6304fcc26f091d4d19ea324", "aggregated_count": 34}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 119190, "scanner": "repobility-threat-engine", "fingerprint": "dfc0218511d96de2d591693ebee4c6935fc05e70d2e295f7dcae6318618554f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfc0218511d96de2d591693ebee4c6935fc05e70d2e295f7dcae6318618554f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/exception-autocapture/index.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 119189, "scanner": "repobility-threat-engine", "fingerprint": "2a003127337571587c5f451cb59462cf58055668b720a9fa4223e1ddc861c888", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a003127337571587c5f451cb59462cf58055668b720a9fa4223e1ddc861c888"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/dead-clicks-autocapture.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 119188, "scanner": "repobility-threat-engine", "fingerprint": "3ea1eff11c17523ed4b4f98064e97c4ec2e5d31f568c3b97b4c5420db5c7a799", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ea1eff11c17523ed4b4f98064e97c4ec2e5d31f568c3b97b4c5420db5c7a799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/entrypoints/tracing-headers.ts"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 119187, "scanner": "repobility-threat-engine", "fingerprint": "599bed58a4156ac49e687a71aea5a0d583746cd1286e14d082c22c5975e369d0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|599bed58a4156ac49e687a71aea5a0d583746cd1286e14d082c22c5975e369d0", "aggregated_count": 31}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 119186, "scanner": "repobility-threat-engine", "fingerprint": "4472c243c8994b9f0915a2e3423f1169e03f45e94244f4f2948d6144c4e88d9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4472c243c8994b9f0915a2e3423f1169e03f45e94244f4f2948d6144c4e88d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/entrypoints/array.full.es5.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 119185, "scanner": "repobility-threat-engine", "fingerprint": "4f8d4ad6ef6e8401de03e7cc5d0ccc2926d1667090a2e5b7b75e24741129be23", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f8d4ad6ef6e8401de03e7cc5d0ccc2926d1667090a2e5b7b75e24741129be23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/consent.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 119184, "scanner": "repobility-threat-engine", "fingerprint": "ce9ee3cf7e60c78ae84f6f3012485fb1baa3da97a18f1caa242072c9c822a0c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce9ee3cf7e60c78ae84f6f3012485fb1baa3da97a18f1caa242072c9c822a0c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/chakra-emotion/src/main.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 119183, "scanner": "repobility-threat-engine", "fingerprint": "f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 119179, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 119175, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 119171, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 119170, "scanner": "repobility-threat-engine", "fingerprint": "258c830290477396ad7f334547859847e46c0d274339c17fcf6f334e5f635005", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[PostHog Next.js] apiKey is required \u2014 PostHog will not be initialized')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.warn posthog next.js apikey is required posthog will not be initialized"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/next/src/client/ClientPostHogProvider.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 119169, "scanner": "repobility-threat-engine", "fingerprint": "6e41f8c30211477c3310e1da7f555ec375d00467aaf606b72d76717c9c5693d8", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn('[PostHogSpanProcessor] apiKey is missing or blank; the processor will be disabled.')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.warn posthogspanprocessor apikey is missing or blank the processor will be disabled."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/otel/processor.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 119168, "scanner": "repobility-threat-engine", "fingerprint": "82f5638260bb076b91f7978a53a364a2adc34254e41accdb3c2b560e67f734d0", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn('[PostHogTraceExporter] projectToken is missing or blank; the exporter will be disabled", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|console.warn posthogtraceexporter projecttoken is missing or blank the exporter will be disabled"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/otel/exporter.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 119167, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 119166, "scanner": "repobility-threat-engine", "fingerprint": "5ed19e433e950b6a85ace80a82f686c576ce8206f52c1e2380c94548c0246415", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ed19e433e950b6a85ace80a82f686c576ce8206f52c1e2380c94548c0246415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/PostHogCaptureOnViewed.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 119165, "scanner": "repobility-threat-engine", "fingerprint": "64dc6ab0562c76e090380c4a873a53183b94bafcb54bc175bf5edb2bd4bff691", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64dc6ab0562c76e090380c4a873a53183b94bafcb54bc175bf5edb2bd4bff691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/product-tours/components/ProductTourSurveyStepInner.tsx"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 119164, "scanner": "repobility-threat-engine", "fingerprint": "9286aa2fd7f77de3ec882d9c09df624c39d695373618358a0794f78c678d8351", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9286aa2fd7f77de3ec882d9c09df624c39d695373618358a0794f78c678d8351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-next-app-router/app/capture/page.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 119163, "scanner": "repobility-threat-engine", "fingerprint": "2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 119159, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 119155, "scanner": "repobility-threat-engine", "fingerprint": "63e706bcc85b827f6e5d102c7e97e4a4af9730ab7c064e414bdf00d1b6f01b4b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|22|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-convex/convex/convexAgent/manualCapture.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 119154, "scanner": "repobility-threat-engine", "fingerprint": "1476d0d69a426414e7eccf36d3fe09d73ebd71d6d542d06933e5e63c9184d882", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|15|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-convex/convex/aiSdk/manualCapture.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 119153, "scanner": "repobility-threat-engine", "fingerprint": "b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "aggregated_count": 42}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 119152, "scanner": "repobility-threat-engine", "fingerprint": "c991f5011ca4e581b30f3f3ddc72b459b2f5b0e7f2c044ac9f8d7ae98c263f77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c991f5011ca4e581b30f3f3ddc72b459b2f5b0e7f2c044ac9f8d7ae98c263f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-node/server.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 119151, "scanner": "repobility-threat-engine", "fingerprint": "6e4e4d8f997f06b91b338bcd41dc285298d293a79efe62740d88ae7f060d0f6c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e4e4d8f997f06b91b338bcd41dc285298d293a79efe62740d88ae7f060d0f6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-expo-53/app/surveys.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 119150, "scanner": "repobility-threat-engine", "fingerprint": "6ad59c8ae1be8097e9676c8e08096153c13dce857951c7b91d98cab5953a6fce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ad59c8ae1be8097e9676c8e08096153c13dce857951c7b91d98cab5953a6fce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-ai-aws-bedrock/chat.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "properties": {"repobilityId": 119149, "scanner": "repobility-threat-engine", "fingerprint": "d6b9e4972ca0832a7d45518c0845664e49a19578e1c45fffa7d6e0c30e492a27", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 112 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d6b9e4972ca0832a7d45518c0845664e49a19578e1c45fffa7d6e0c30e492a27", "aggregated_count": 112}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119148, "scanner": "repobility-threat-engine", "fingerprint": "4ae1d4a4722f5a6b8fa7e953965c1bb3a7983e78edfa7b6511e3a002a1e70e13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ae1d4a4722f5a6b8fa7e953965c1bb3a7983e78edfa7b6511e3a002a1e70e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-ai-anthropic/streaming.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119147, "scanner": "repobility-threat-engine", "fingerprint": "2fedb2315bdd89c9f8f3d3c61a0363a4f1de6c3509cff4e88b233ee5fb24720f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fedb2315bdd89c9f8f3d3c61a0363a4f1de6c3509cff4e88b233ee5fb24720f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-ai-anthropic/chat.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119146, "scanner": "repobility-threat-engine", "fingerprint": "8be01b0690ec899c1dfb027863394bae31ea39afa907d2672b16a5baf20eca08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8be01b0690ec899c1dfb027863394bae31ea39afa907d2672b16a5baf20eca08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 119142, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 119141, "scanner": "repobility-threat-engine", "fingerprint": "074c10bd350f686f091f72720370967247752480c5373dd603a28a6c02a8a823", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|074c10bd350f686f091f72720370967247752480c5373dd603a28a6c02a8a823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 119140, "scanner": "repobility-threat-engine", "fingerprint": "2099186b87964ced9cee5ca5c9f1ef44ff6c5b836eebe2d77a170ec5f113f111", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2099186b87964ced9cee5ca5c9f1ef44ff6c5b836eebe2d77a170ec5f113f111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/nextjs/pages/replay-examples/iframe.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 119139, "scanner": "repobility-threat-engine", "fingerprint": "1701cc5dbdd8aa7c4e19c5051282e31a46b5156a1dbe751b7a6e61e02d95b0e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1701cc5dbdd8aa7c4e19c5051282e31a46b5156a1dbe751b7a6e61e02d95b0e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/bot-detection.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1278 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 119282, "scanner": "repobility-supply-chain", "fingerprint": "066b4883eb6ce40b74e840eab831afaf72540010f0f586c18594add2a7d6a37f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|066b4883eb6ce40b74e840eab831afaf72540010f0f586c18594add2a7d6a37f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-node` pulled from URL/Git: `dependencies.posthog-node` = `file:../../target/posthog-node.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119281, "scanner": "repobility-supply-chain", "fingerprint": "8faa0bf4131867c55f34e525ed2dac748bb8ff08ce8a5dee669e3d0cbed4279f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8faa0bf4131867c55f34e525ed2dac748bb8ff08ce8a5dee669e3d0cbed4279f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-convex/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@posthog/convex` pulled from URL/Git: `dependencies.@posthog/convex` = `file:../../target/posthog-convex.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119280, "scanner": "repobility-supply-chain", "fingerprint": "ce62c79755c1a11d4e2e7114f534c4cd69747e95905bd21dd6ca7bb9d80b808c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce62c79755c1a11d4e2e7114f534c4cd69747e95905bd21dd6ca7bb9d80b808c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-convex/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@posthog/ai` pulled from URL/Git: `dependencies.@posthog/ai` = `file:../../target/posthog-ai.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119279, "scanner": "repobility-supply-chain", "fingerprint": "62a53fefa111fed29f69aae74471c7ca93713572431b9ab91269500d6c220bb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62a53fefa111fed29f69aae74471c7ca93713572431b9ab91269500d6c220bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-convex/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `file:../../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119278, "scanner": "repobility-supply-chain", "fingerprint": "55afb079af6e002a959ad6d08bde0f8320b4746e36878b7df44e43842f67f24d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55afb079af6e002a959ad6d08bde0f8320b4746e36878b7df44e43842f67f24d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/error-tracking/next-ts-app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `link:../../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119277, "scanner": "repobility-supply-chain", "fingerprint": "7eb696a4d016a92e0d62000f6f62fc4a6aaf79a83cd9a30a46486b7dfc192fb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7eb696a4d016a92e0d62000f6f62fc4a6aaf79a83cd9a30a46486b7dfc192fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/error-tracking/react-ts-esbuild/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `link:../../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119276, "scanner": "repobility-supply-chain", "fingerprint": "928bd731471012f29b4f03990a7f11af71d3917ebab12c51a22801d12e48a671", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|928bd731471012f29b4f03990a7f11af71d3917ebab12c51a22801d12e48a671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/error-tracking/vue-ts-esbuild/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119275, "scanner": "repobility-supply-chain", "fingerprint": "53942d77d84b1fa8fd3279637fe3ddf0de95977ad1cf8f1a497e7bcf335e8ded", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53942d77d84b1fa8fd3279637fe3ddf0de95977ad1cf8f1a497e7bcf335e8ded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119274, "scanner": "repobility-supply-chain", "fingerprint": "964fafb966ebcf700d9ed57edc701706db2dfaee7e819ebcf6377bc6e6288ec9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|964fafb966ebcf700d9ed57edc701706db2dfaee7e819ebcf6377bc6e6288ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119273, "scanner": "repobility-supply-chain", "fingerprint": "d4ffde4ed52cfd3a31e6f6e555a54d39efa4fbef7d109474f45fe234eeaada38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4ffde4ed52cfd3a31e6f6e555a54d39efa4fbef7d109474f45fe234eeaada38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119272, "scanner": "repobility-supply-chain", "fingerprint": "07891ddf7069c151bd8fbe759c9f56f1a9667022bcfccca713b8622c14982ab8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07891ddf7069c151bd8fbe759c9f56f1a9667022bcfccca713b8622c14982ab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `file:../../dist/` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119271, "scanner": "repobility-supply-chain", "fingerprint": "ad11c87957d4e380d66b62ae147bf1c447e6884d2872f0ec0bc71194b6818992", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad11c87957d4e380d66b62ae147bf1c447e6884d2872f0ec0bc71194b6818992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `file:../../dist/` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119270, "scanner": "repobility-supply-chain", "fingerprint": "261601f5b6c62c52500570d53b3d166c6667f69b0531ad93ad162877e06c7c57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|261601f5b6c62c52500570d53b3d166c6667f69b0531ad93ad162877e06c7c57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/nuxtjs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `link:../../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119269, "scanner": "repobility-supply-chain", "fingerprint": "417bda6744a4b8b58ba2af72cd7c61fdb9fdd3b4645719a46842ce6b5506da5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|417bda6744a4b8b58ba2af72cd7c61fdb9fdd3b4645719a46842ce6b5506da5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/chakra-emotion/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `file:../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119268, "scanner": "repobility-supply-chain", "fingerprint": "2493f6ebf13d3cf82031b46eefd5a210930f8f8de8e264aebc64d774ddf40676", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2493f6ebf13d3cf82031b46eefd5a210930f8f8de8e264aebc64d774ddf40676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/csp-violations/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `dependencies.posthog-js` = `file:../../dist` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119267, "scanner": "repobility-supply-chain", "fingerprint": "cba1e2eaaf6fc09f40e7fc483ec46fd6403e186c33cac2350bfd1baf5218f652", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cba1e2eaaf6fc09f40e7fc483ec46fd6403e186c33cac2350bfd1baf5218f652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/redux-todo-list/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `posthog-js` pulled from URL/Git: `devDependencies.posthog-js` = `link:` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119266, "scanner": "repobility-supply-chain", "fingerprint": "bf3213ebca5d183cb554963a7cc3e363d8d1a05ac29f34814f9843bbdd95d817", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf3213ebca5d183cb554963a7cc3e363d8d1a05ac29f34814f9843bbdd95d817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119265, "scanner": "repobility-supply-chain", "fingerprint": "ede4f108af26fe7a8d65b7e8867992dc9830be65bda221cd9209d52a60e1e504", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ede4f108af26fe7a8d65b7e8867992dc9830be65bda221cd9209d52a60e1e504"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 119264, "scanner": "repobility-supply-chain", "fingerprint": "e0718b5d6e4dac4c6f16b313342c186c06b4e886205bd832cb2b29d58d5e80d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0718b5d6e4dac4c6f16b313342c186c06b4e886205bd832cb2b29d58d5e80d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-posthog-js` pulled from URL/Git: `devDependencies.eslint-plugin-posthog-js` = `link:tooling/eslint-plugin-posthog-js` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 119263, "scanner": "repobility-supply-chain", "fingerprint": "8cc21956989c300c5b9eea4479088293321fea1458c430216718db6dfaeb1c92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cc21956989c300c5b9eea4479088293321fea1458c430216718db6dfaeb1c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /flags has no auth: Express route POST /flags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119262, "scanner": "repobility-route-auth", "fingerprint": "4ea3c82e60b85e134ff9c21c9b1e3b487e65d03feea11e879a2df93448a2d42a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4ea3c82e60b85e134ff9c21c9b1e3b487e65d03feea11e879a2df93448a2d42a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/session-recordings/server.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /reset has no auth: Express route POST /reset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119261, "scanner": "repobility-route-auth", "fingerprint": "66570063e3bd74c5fb222ebbfdaf4861e1fc5e18f171a41dbe1e585d0375628f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|66570063e3bd74c5fb222ebbfdaf4861e1fc5e18f171a41dbe1e585d0375628f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /get_feature_flag has no auth: Express route POST /get_feature_flag declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119260, "scanner": "repobility-route-auth", "fingerprint": "db16a4f5e94c85c502ddd6f1d2a7b09fad3baa62133d4bc402f35a1aee04be81", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|db16a4f5e94c85c502ddd6f1d2a7b09fad3baa62133d4bc402f35a1aee04be81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /flush has no auth: Express route POST /flush declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119259, "scanner": "repobility-route-auth", "fingerprint": "b09fa8feb7f6e14203411585cdffe662488cb096a943d29b0ee2ffa9819233fa", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b09fa8feb7f6e14203411585cdffe662488cb096a943d29b0ee2ffa9819233fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /capture has no auth: Express route POST /capture declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119258, "scanner": "repobility-route-auth", "fingerprint": "247a7bafca2b9c20760c62436f5fecae8aa88b66cafa19bb29b7b8e6d7a967e9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|247a7bafca2b9c20760c62436f5fecae8aa88b66cafa19bb29b7b8e6d7a967e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /init has no auth: Express route POST /init declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119257, "scanner": "repobility-route-auth", "fingerprint": "9ca6e53b7293b9c88d10340faefa4f964f4ca326e4220941efdbd5002ba3fcf3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9ca6e53b7293b9c88d10340faefa4f964f4ca326e4220941efdbd5002ba3fcf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /reset has no auth: Express route POST /reset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119256, "scanner": "repobility-route-auth", "fingerprint": "ad6b3e1fa956550ca3bc8bea6025fb79e9059adc71463e3bacc90fb08f8b8d25", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ad6b3e1fa956550ca3bc8bea6025fb79e9059adc71463e3bacc90fb08f8b8d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/adapter.js"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /get_feature_flag has no auth: Express route POST /get_feature_flag declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119255, "scanner": "repobility-route-auth", "fingerprint": "c7338ca6daf30542d5fd1cab910ca634ea4259a10fde059475b7895b4b073e0b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c7338ca6daf30542d5fd1cab910ca634ea4259a10fde059475b7895b4b073e0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/adapter.js"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /flush has no auth: Express route POST /flush declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119254, "scanner": "repobility-route-auth", "fingerprint": "81df8e7f835df61c11155d0dd6f129d78b44c6b8d3d46f77ed40101ce1ba7931", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|81df8e7f835df61c11155d0dd6f129d78b44c6b8d3d46f77ed40101ce1ba7931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/adapter.js"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /capture has no auth: Express route POST /capture declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119253, "scanner": "repobility-route-auth", "fingerprint": "2d3c28983ccf665c8422c4868daf2decd71a374fc377274d38f0550e672f74ef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2d3c28983ccf665c8422c4868daf2decd71a374fc377274d38f0550e672f74ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/adapter.js"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /init has no auth: Express route POST /init declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 119252, "scanner": "repobility-route-auth", "fingerprint": "8970eb16de4ec941de8fa128b63f2e836295cc36232f22b161cfd94496d3030a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8970eb16de4ec941de8fa128b63f2e836295cc36232f22b161cfd94496d3030a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/browser/adapter.js"}, "region": {"startLine": 198}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 119250, "scanner": "repobility-journey-contract", "fingerprint": "a83ed24323d8cc2d720bf2c6f747b43e3d7c4c6bd94da1eadd6c470bfe9380e9", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|37|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/copy-autocapture/demo.html"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 119242, "scanner": "repobility-docker", "fingerprint": "e37d27db0de76b572d6be3276d1a9d3f84d8f8aaef2885bae0086f977a7784f0", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e37d27db0de76b572d6be3276d1a9d3f84d8f8aaef2885bae0086f977a7784f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 119241, "scanner": "repobility-docker", "fingerprint": "ee891576ea1e4c52ea1c251c85971f11c376d8ef8ceee2093345c4af89c2c37a", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ee891576ea1e4c52ea1c251c85971f11c376d8ef8ceee2093345c4af89c2c37a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/playground/react-router/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 119220, "scanner": "repobility-threat-engine", "fingerprint": "638e400b520a63079da812ac3d4fa3aa44503cfbaa6194b039ecde06f853c992", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|638e400b520a63079da812ac3d4fa3aa44503cfbaa6194b039ecde06f853c992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rrweb/rrweb/scripts/utils.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 119218, "scanner": "repobility-threat-engine", "fingerprint": "262e1ce8e8e406b3ccea534bb514d465b707f63e2edcb2b58b79f8b251621814", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|262e1ce8e8e406b3ccea534bb514d465b707f63e2edcb2b58b79f8b251621814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/tooling/utils.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 119206, "scanner": "repobility-threat-engine", "fingerprint": "f52b9d830bc54249d80c8e7a5935dafd1d03e40b66441b9cdd50fde2f39b537a", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|playground/vite/src/main.ts|6|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/vite/src/main.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 119205, "scanner": "repobility-threat-engine", "fingerprint": "990a3af1174b383c725c80798313d010da6f748cd7cec4eeba2006c28a17a756", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(URL_REGEX_PREFIX + 'google.([^/?]*)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|141|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/utils/event-utils.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 119203, "scanner": "repobility-threat-engine", "fingerprint": "64fddc1ef7809487cb2f400ca124df5b81b7046840b3d225aa16bb8c5192c9ad", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `count is ${counter}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64fddc1ef7809487cb2f400ca124df5b81b7046840b3d225aa16bb8c5192c9ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/vite/src/counter.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 119202, "scanner": "repobility-threat-engine", "fingerprint": "78566eb7d5975628a580f5f0beb268b3cc474386b9e55f8bf9b7fd1d46e82e79", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((x) => `${x}:${flattened[x]}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78566eb7d5975628a580f5f0beb268b3cc474386b9e55f8bf9b7fd1d46e82e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/src/autocapture.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 119201, "scanner": "repobility-threat-engine", "fingerprint": "a75387441c505be8fffd1f68792267cde08209e193f8aca64c08d2b7352a5495", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a75387441c505be8fffd1f68792267cde08209e193f8aca64c08d2b7352a5495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/surveys/components/PostHogLogo.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 119199, "scanner": "repobility-threat-engine", "fingerprint": "48acb8304146feba09cb2baa3cec414d21f283bd4656d75cb13c947a9b529415", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48acb8304146feba09cb2baa3cec414d21f283bd4656d75cb13c947a9b529415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/utils/regex-utils.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 119198, "scanner": "repobility-threat-engine", "fingerprint": "acb3d95dab9340db667592b174282c098e0e6cdc3a439d7f92e28152e70e5fc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(likePattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|acb3d95dab9340db667592b174282c098e0e6cdc3a439d7f92e28152e70e5fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/utils/elements-chain-utils.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 119197, "scanner": "repobility-threat-engine", "fingerprint": "41db5d2886ff0d30b48cf4fbbb204b00412adb9b5e264cf22f13ca6fe64f3855", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(step", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41db5d2886ff0d30b48cf4fbbb204b00412adb9b5e264cf22f13ca6fe64f3855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/extensions/surveys/action-matcher.ts"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 119182, "scanner": "repobility-threat-engine", "fingerprint": "e137fd6eb6df3ac0217e80bbc286fc1f6199bd4107dc7edd0d49fe3471e550a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e137fd6eb6df3ac0217e80bbc286fc1f6199bd4107dc7edd0d49fe3471e550a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/error-tracking/parsers/chrome.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 119181, "scanner": "repobility-threat-engine", "fingerprint": "548b809fa35f3a06d7db9449d77c5b1874e6968ff62fadb3aed2e859a77854e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(elementsChain", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|548b809fa35f3a06d7db9449d77c5b1874e6968ff62fadb3aed2e859a77854e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/utils/elements-chain-utils.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 119180, "scanner": "repobility-threat-engine", "fingerprint": "950f18521353c86000acdcf6205fec8bc68a692860014727d04fd929e4ad70bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|950f18521353c86000acdcf6205fec8bc68a692860014727d04fd929e4ad70bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/sanitization/base64_recognizer.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 119174, "scanner": "repobility-threat-engine", "fingerprint": "79454f1b5d8ea9fcc0cab9b427cdafedef336f5363f9a9a026f358559c23c0f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "response.cookies.delete(cookieName)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79454f1b5d8ea9fcc0cab9b427cdafedef336f5363f9a9a026f358559c23c0f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/next/src/middleware/postHogMiddleware.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 119173, "scanner": "repobility-threat-engine", "fingerprint": "d3bb25adaad3d296c268602681c06efafa77c0de5a9d10462e6f9be20113595f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this._cache.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3bb25adaad3d296c268602681c06efafa77c0de5a9d10462e6f9be20113595f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/error-tracking/utils.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 119172, "scanner": "repobility-threat-engine", "fingerprint": "82e4fcf1f2ed9490e00e222d7bdabce346ca8c9d335f132068c45ea7b1337869", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.cache.delete(name)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|82e4fcf1f2ed9490e00e222d7bdabce346ca8c9d335f132068c45ea7b1337869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/prompts.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 119158, "scanner": "repobility-threat-engine", "fingerprint": "719c333f031380227a2718524a8f3b763cbab2acc312ae2372ee5fb896ac927a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|719c333f031380227a2718524a8f3b763cbab2acc312ae2372ee5fb896ac927a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/otel/processor.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 119157, "scanner": "repobility-threat-engine", "fingerprint": "64d6730336528de78cd06934976f36798d824fc62627ae710c8df6715aaad380", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64d6730336528de78cd06934976f36798d824fc62627ae710c8df6715aaad380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/otel/exporter.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 119156, "scanner": "repobility-threat-engine", "fingerprint": "67fb182980a33fddf3584c25c9739e2d7f2bc5c713aa38628dbcb89d1c1b3377", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67fb182980a33fddf3584c25c9739e2d7f2bc5c713aa38628dbcb89d1c1b3377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/example-expo-53/ios/exampleexpo53/AppDelegate.swift"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 119145, "scanner": "repobility-threat-engine", "fingerprint": "2feda5ac59265d560fd0282c21c02866c763cfce48d7a1c0871b4174b0eda02a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2feda5ac59265d560fd0282c21c02866c763cfce48d7a1c0871b4174b0eda02a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs/utils.js"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 119144, "scanner": "repobility-threat-engine", "fingerprint": "623b4df4e997bbee1f4e863fefa26ddd79f7f0299c42fcdad0ef6cec3eee85f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|623b4df4e997bbee1f4e863fefa26ddd79f7f0299c42fcdad0ef6cec3eee85f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 119143, "scanner": "repobility-threat-engine", "fingerprint": "22e280580f9e7b422df7f73016408920663b7e6e778a0874e29cdf1cec8668ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/init', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22e280580f9e7b422df7f73016408920663b7e6e778a0874e29cdf1cec8668ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compliance/node/adapter.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 119249, "scanner": "repobility-journey-contract", "fingerprint": "f3f3fc16647c7582763c0ac909a539c6b0eba117e975e4fc5b77a7e1ca87be68", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|217|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/posthog-surveys.ts"}, "region": {"startLine": 217}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 119248, "scanner": "repobility-journey-contract", "fingerprint": "68708d925df15977d0f94fd343fc1db1e2f697d782a037405c73f29f615f6024", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1154|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browser/src/posthog-featureflags.ts"}, "region": {"startLine": 1154}}}]}]}]}