{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 7 more): Same pattern found in 7 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 55 more): Same pattern found in 55 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 62 more): Same pattern found in 62 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run", "shortDescription": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) "}, "fullDescription": {"text": "Replace with: `uses: pnpm/action-setup@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `eslint-plugin-bsky-internal` pulled from URL/Git: `devDependencies.eslint-plugin-bsky-inter", "shortDescription": {"text": "[MINED122] package.json dep `eslint-plugin-bsky-internal` pulled from URL/Git: `devDependencies.eslint-plugin-bsky-internal` = `link:eslint` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /link has no auth: Express route POST /link declared without an auth middleware in its handler c", "shortDescription": {"text": "[MINED113] Express POST /link has no auth: Express route POST /link declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/link', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED028", "name": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line.", "shortDescription": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1356"}, "properties": {"repository": "bluesky-social/social-app", "repoUrl": "https://github.com/bluesky-social/social-app", "branch": "main"}, "results": [{"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 138080, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 138069, "scanner": "repobility-docker", "fingerprint": "608da5996cc11aa045b7ff81c425c29e793a242b98bac15fd56ed2869405cb74", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|608da5996cc11aa045b7ff81c425c29e793a242b98bac15fd56ed2869405cb74", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/tests/infra/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 138066, "scanner": "repobility-docker", "fingerprint": "f1a1ce36b575a690e8fcff9f2afa3432edf56880ab8a5eb9938b2b140299795d", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db_test", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|f1a1ce36b575a690e8fcff9f2afa3432edf56880ab8a5eb9938b2b140299795d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/tests/infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 138065, "scanner": "repobility-docker", "fingerprint": "91e99f4d084f3e775a08b7ab1bae5441eb5c4ae1e9015cc4f6664757d6eb1318", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|91e99f4d084f3e775a08b7ab1bae5441eb5c4ae1e9015cc4f6664757d6eb1318"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 138064, "scanner": "repobility-docker", "fingerprint": "2f31b743bcf48cea70dcfa4a4dd1386a29a8c28fe5efc1cfc36560e553d55321", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 22 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 22, "correlation_key": "fp|2f31b743bcf48cea70dcfa4a4dd1386a29a8c28fe5efc1cfc36560e553d55321", "dependency_install_line": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 138060, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 138059, "scanner": "repobility-docker", "fingerprint": "7c11a1f8203a44ace35c40c2055e2ca0d0b77401565920b703013fd5c2ae966c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7c11a1f8203a44ace35c40c2055e2ca0d0b77401565920b703013fd5c2ae966c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 100}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 138058, "scanner": "repobility-docker", "fingerprint": "2f521eba562bdcca7defbb24aca488af59de7fd62d693f1db081fadeb749fc45", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 43 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 43, "correlation_key": "fp|2f521eba562bdcca7defbb24aca488af59de7fd62d693f1db081fadeb749fc45", "dependency_install_line": 52}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 138054, "scanner": "repobility-docker", "fingerprint": "fcdc23f6fe2ec7900d0a2831c6457e7a70a4eb541d587941ae7a742b54b8f8ae", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "SENTRY_AUTH_TOKEN", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fcdc23f6fe2ec7900d0a2831c6457e7a70a4eb541d587941ae7a742b54b8f8ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 138030, "scanner": "repobility-threat-engine", "fingerprint": "79bda71beb05bc1d741c1b879881dddc128866504ee210d439f53760c8b6583c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79bda71beb05bc1d741c1b879881dddc128866504ee210d439f53760c8b6583c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/view/screens/Storybook/Forms.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 138029, "scanner": "repobility-threat-engine", "fingerprint": "64d354634de90a98a72ceb03207880ac2740fbd2bbe519b8107e2285d972e133", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Settings/components/ChangePasswordDialog.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 137998, "scanner": "repobility-threat-engine", "fingerprint": "b33c562ef9a314f0e05357e63b2d261e4e6b583984fbcec24dff7b95ffd5ea37", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "template.URL(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b33c562ef9a314f0e05357e63b2d261e4e6b583984fbcec24dff7b95ffd5ea37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyweb/cmd/embedr/snippet.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 137996, "scanner": "repobility-threat-engine", "fingerprint": "cc5aa63b6a56400e31dd6be9303be273c747b1130ffee65394b418158c6f75ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    metricsAddress,\n\t\tHandler: metricsMux,\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc5aa63b6a56400e31dd6be9303be273c747b1130ffee65394b418158c6f75ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyweb/cmd/embedr/server.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 137987, "scanner": "repobility-threat-engine", "fingerprint": "65a5708b4d2f62086fa7980b38a25d9d602063f8e56036bb9381f60d67dd66e8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65a5708b4d2f62086fa7980b38a25d9d602063f8e56036bb9381f60d67dd66e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/EmojiPicker/preload.web.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 137986, "scanner": "repobility-threat-engine", "fingerprint": "e193330ae59e6a5ee16f8a35611d425195ccb4b1523008b4009c51f6eb414131", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e193330ae59e6a5ee16f8a35611d425195ccb4b1523008b4009c51f6eb414131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Splash.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 137985, "scanner": "repobility-threat-engine", "fingerprint": "86df744ab2d88ae3b1d459ff55c0d208d0d3228a670bc4b098ea0e23b500802e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86df744ab2d88ae3b1d459ff55c0d208d0d3228a670bc4b098ea0e23b500802e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/metrics.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137970, "scanner": "repobility-threat-engine", "fingerprint": "b329b7006dc34d5cbfc1540052c20de095559784eae999c1cde74ba886c87645", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/state/gallery.ts|112|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/state/gallery.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137969, "scanner": "repobility-threat-engine", "fingerprint": "51812174ded43c87c3dbacbbfefd1ee5768867fa4ec7a24571e2a1a5a734bd42", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|224|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/dialogs/Embed.tsx"}, "region": {"startLine": 224}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137968, "scanner": "repobility-threat-engine", "fingerprint": "ba00903c564c9a1506410bc7915d445283bb1b79e83df152a8a7100024a68997", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|311|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/screens/landing.tsx"}, "region": {"startLine": 311}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 138079, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 138078, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 138077, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 138063, "scanner": "repobility-docker", "fingerprint": "9c0113478ef113d37d68da2249b7692f92c6f73bebf46436f8055c3610d8a867", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9c0113478ef113d37d68da2249b7692f92c6f73bebf46436f8055c3610d8a867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 138062, "scanner": "repobility-docker", "fingerprint": "9aaaedf9ff3cff3c279403759d576c03eeebd3cb525e0b7868635eb56041c0fa", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9aaaedf9ff3cff3c279403759d576c03eeebd3cb525e0b7868635eb56041c0fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 138057, "scanner": "repobility-docker", "fingerprint": "700e2a2418ae9a1dd08a70f79c43856502c172828cf3525b4a447a53c327df89", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|700e2a2418ae9a1dd08a70f79c43856502c172828cf3525b4a447a53c327df89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 138056, "scanner": "repobility-docker", "fingerprint": "f6fa90ebee48179091acdcb76737ffb493104129046c80351e6416e3fde2294b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f6fa90ebee48179091acdcb76737ffb493104129046c80351e6416e3fde2294b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf32332f61d409475dcaa17764e8888c6b5e65d64c2bc88239409d16be107c0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Tooltip/index.tsx", "duplicate_line": 392, "correlation_key": "fp|bf32332f61d409475dcaa17764e8888c6b5e65d64c2bc88239409d16be107c0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Tooltip/index.web.tsx"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1974692617b0815e8db83c41bc86b0b0f31a3c2e5b56115d968094a782e9a1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/StarterPack/Main/FeedsList.tsx", "duplicate_line": 23, "correlation_key": "fp|e1974692617b0815e8db83c41bc86b0b0f31a3c2e5b56115d968094a782e9a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/StarterPack/Main/ProfilesList.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d3f37ce983759963817dd222ff6cdf11638c3e6bc15dcb182ce970d1ad8d846", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/InterestTabs.tsx", "duplicate_line": 271, "correlation_key": "fp|2d3f37ce983759963817dd222ff6cdf11638c3e6bc15dcb182ce970d1ad8d846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProgressGuide/FollowDialog.tsx"}, "region": {"startLine": 448}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71e1340bba10e069f0eb6c2df5e2f2c60349e098cfdf634a7de42126ee0e3274", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/FeedCard.tsx", "duplicate_line": 163, "correlation_key": "fp|71e1340bba10e069f0eb6c2df5e2f2c60349e098cfdf634a7de42126ee0e3274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProfileCard.tsx"}, "region": {"startLine": 324}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb0e4df38d9750cc70bbf86d77fe513439f2ac7f804f03496ce79072515024af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Post/Embed/VideoEmbed/index.tsx", "duplicate_line": 21, "correlation_key": "fp|cb0e4df38d9750cc70bbf86d77fe513439f2ac7f804f03496ce79072515024af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Post/Embed/VideoEmbed/index.web.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5818f32e2fc768aa9d191732ed1ed15920f3335ed476be13f3579f43914d6633", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "modules/bottom-sheet/src/lib/Portal.tsx", "duplicate_line": 31, "correlation_key": "fp|5818f32e2fc768aa9d191732ed1ed15920f3335ed476be13f3579f43914d6633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Portal.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138047, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41b94c6c0d692d45f003a741bfeb850098c28d2bc9b798bfff057ccf4a713eb3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ContextMenu/types.ts", "duplicate_line": 101, "correlation_key": "fp|41b94c6c0d692d45f003a741bfeb850098c28d2bc9b798bfff057ccf4a713eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Menu/types.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07ecc6821ccedc4e6b61f15e25651bc3aac65bbb7710810b3d955c701ebad057", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Menu/index.tsx", "duplicate_line": 16, "correlation_key": "fp|07ecc6821ccedc4e6b61f15e25651bc3aac65bbb7710810b3d955c701ebad057"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Menu/index.web.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45573584030ce513a526f9f29683bb1d2f7a945b077fa0e0cd285fb74db9eb05", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Lightbox/pager/ImageItem/ImageItem.android.tsx", "duplicate_line": 42, "correlation_key": "fp|45573584030ce513a526f9f29683bb1d2f7a945b077fa0e0cd285fb74db9eb05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Lightbox/pager/ImageItem/ImageItem.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7129b6a7634d8c5edc530a9a75d491477ae7af0d23d6490a9a49103458d17a9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Lightbox/pager/ImageItem/ImageItem.android.tsx", "duplicate_line": 41, "correlation_key": "fp|7129b6a7634d8c5edc530a9a75d491477ae7af0d23d6490a9a49103458d17a9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Lightbox/pager/ImageItem/ImageItem.ios.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c21186e5a8135a866c78fa7b6d7193b8e1284007f82137dfd171fe8fd2ea311", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Lightbox/chrome/PagerDots.tsx", "duplicate_line": 15, "correlation_key": "fp|8c21186e5a8135a866c78fa7b6d7193b8e1284007f82137dfd171fe8fd2ea311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Lightbox/chrome/PagerDots.web.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38ef302837c0935dda4e36757d1740a953122fa436ee91802ca107751cb34cab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/Lightbox/chrome/CircleChromeButton.tsx", "duplicate_line": 11, "correlation_key": "fp|38ef302837c0935dda4e36757d1740a953122fa436ee91802ca107751cb34cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Lightbox/chrome/CircleChromeButton.web.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138041, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb02e9e6823c8626b5042fe3a99cb63bf3dfdb0c67786106ae4c48e470bdcab0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ContextMenu/Backdrop.ios.tsx", "duplicate_line": 61, "correlation_key": "fp|bb02e9e6823c8626b5042fe3a99cb63bf3dfdb0c67786106ae4c48e470bdcab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ContextMenu/Backdrop.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138040, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2570b01dfcc95e9a7637269834b1abf44edeb0659dbd7f817f2369967bb9c81b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/App.native.tsx", "duplicate_line": 64, "correlation_key": "fp|2570b01dfcc95e9a7637269834b1abf44edeb0659dbd7f817f2369967bb9c81b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/App.web.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138039, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d972bfdb990d04eafcc9c5e662b282b4d9a10c33d4a0ce21145bbfd08b270176", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/notificationsExtension/withXcodeTarget.js", "duplicate_line": 8, "correlation_key": "fp|d972bfdb990d04eafcc9c5e662b282b4d9a10c33d4a0ce21145bbfd08b270176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/shareExtension/withXcodeTarget.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65fd4c788a69733b9424722c9ac2336b3dc12cf0468d4e9761e42d6fc9f926ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/notificationsExtension/withExtensionViewController.js", "duplicate_line": 1, "correlation_key": "fp|65fd4c788a69733b9424722c9ac2336b3dc12cf0468d4e9761e42d6fc9f926ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/shareExtension/withExtensionViewController.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c4ed834fc24d91788b6ec63cd2e761e85d39b5bfd6e86a16cd8831c9ec6860d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/notificationsExtension/withExtensionInfoPlist.js", "duplicate_line": 1, "correlation_key": "fp|4c4ed834fc24d91788b6ec63cd2e761e85d39b5bfd6e86a16cd8831c9ec6860d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/shareExtension/withExtensionInfoPlist.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138036, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7359bc813137489cca9c2950657dbee233b531db3a20243c78cf8352421d6d71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "modules/expo-background-notification-handler/android/src/main/java/expo/modules/backgroundnotificationhandler/NotificationPrefs.kt", "duplicate_line": 26, "correlation_key": "fp|7359bc813137489cca9c2950657dbee233b531db3a20243c78cf8352421d6d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/expo-bluesky-swiss-army/android/src/main/java/expo/modules/blueskyswissarmy/sharedprefs/SharedPrefs.kt"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138035, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fcbdf75d23142c5fe77e8b53a99bc0b4eae199df8a5793ab1cf560fcdabdc416", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app.config.js", "duplicate_line": 66, "correlation_key": "fp|fcbdf75d23142c5fe77e8b53a99bc0b4eae199df8a5793ab1cf560fcdabdc416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lingui.config.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138034, "scanner": "repobility-ai-code-hygiene", "fingerprint": "064d122e92b5a805b8ea57e85a7f15f0906290266497d92022f0d2dd3710a478", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bskyweb/cmd/bskyweb/server.go", "duplicate_line": 81, "correlation_key": "fp|064d122e92b5a805b8ea57e85a7f15f0906290266497d92022f0d2dd3710a478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyweb/cmd/embedr/server.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138033, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8196c5fb5e76b22f7831456cc9b88bc3310ddfc3c8e11a255a6becbd99d2d47c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bskyembed/src/types/bsky/index.ts", "duplicate_line": 3, "correlation_key": "fp|8196c5fb5e76b22f7831456cc9b88bc3310ddfc3c8e11a255a6becbd99d2d47c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyogcard/src/types/bsky/index.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138032, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30d10ffac74c2e06f2d80139fd7041509dc774989f4cbbd1e86b467d318e6791", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bskyembed/src/icons/Like.tsx", "duplicate_line": 3, "correlation_key": "fp|30d10ffac74c2e06f2d80139fd7041509dc774989f4cbbd1e86b467d318e6791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/icons/Repost.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 138031, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d75621613f7ebae385d44e346f48abf446abd362f31a1d84dfa75a8a421f0aa7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bskyembed/src/icons/Like.tsx", "duplicate_line": 3, "correlation_key": "fp|d75621613f7ebae385d44e346f48abf446abd362f31a1d84dfa75a8a421f0aa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/icons/Reply.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 138000, "scanner": "repobility-threat-engine", "fingerprint": "1ebb39606e0c8cfb5d5c1d9e33f339ccd7905cd0ae13b2d0bde396574b788dee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'rename it to <' +\n                tagName +\n                'Text> or add it to impliedTextComponen", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1ebb39606e0c8cfb5d5c1d9e33f339ccd7905cd0ae13b2d0bde396574b788dee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eslint/avoid-unwrapped-text.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 138027, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 138026, "scanner": "repobility-threat-engine", "fingerprint": "d904974a60f718a213fb7dec4cb7495a1cd30b4395f22d909a204a68a793a5d9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.error('Failed to request password reset', {safeMessage: e})", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|logger.error failed to request password reset safemessage: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Settings/components/ChangePasswordDialog.tsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 138025, "scanner": "repobility-threat-engine", "fingerprint": "2a5b17cd93721da34f6436565b48d8c72eb1f26f631c628aa6121ee5f8ac998a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warn('Failed to set new password', {error: e})", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.warn failed to set new password error: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Login/SetNewPasswordForm.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 138024, "scanner": "repobility-threat-engine", "fingerprint": "49b844e895eda3559dc94bfd5211dcf3f30e747842ae4ff1bc5e149685c9153d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warn('Failed to request password reset', {error: e})", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|logger.warn failed to request password reset error: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Login/ForgotPasswordForm.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 138018, "scanner": "repobility-threat-engine", "fingerprint": "c130b911952ec9a0bdf2fa57e9f503e50ec23fd9af3426a4fd154015bd1aa6d7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c130b911952ec9a0bdf2fa57e9f503e50ec23fd9af3426a4fd154015bd1aa6d7", "aggregated_count": 30}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 138017, "scanner": "repobility-threat-engine", "fingerprint": "5c4538c985a63de04397e4ca0b577d4b8da17dc4dac09debafd23a66b44f3498", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c4538c985a63de04397e4ca0b577d4b8da17dc4dac09debafd23a66b44f3498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/dialogs/EmailDialog/screens/Update.tsx"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 138016, "scanner": "repobility-threat-engine", "fingerprint": "1dc6e117765b648a8fa9f057ee0492eb05dc1551c5eff09a16da02a5d63f48e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1dc6e117765b648a8fa9f057ee0492eb05dc1551c5eff09a16da02a5d63f48e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/WhoCanReply.tsx"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 138015, "scanner": "repobility-threat-engine", "fingerprint": "880f4f7e846b354963625ec8425360f4cf53cf2dfc2763e4dc629650db401b9e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|880f4f7e846b354963625ec8425360f4cf53cf2dfc2763e4dc629650db401b9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/analytics/index.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 138014, "scanner": "repobility-threat-engine", "fingerprint": "90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "aggregated_count": 7}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 138013, "scanner": "repobility-threat-engine", "fingerprint": "faaab6ca86176dd24ee2c639c890eb2993caf9a5b30cd01fd5f9ee471406669f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|faaab6ca86176dd24ee2c639c890eb2993caf9a5b30cd01fd5f9ee471406669f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/DraggableList/index.web.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 138012, "scanner": "repobility-threat-engine", "fingerprint": "cc1abae3954794c46623553dabc36c6b8cc93c964682a993fb716c0c5e440d31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc1abae3954794c46623553dabc36c6b8cc93c964682a993fb716c0c5e440d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Composer/index.tsx"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 138011, "scanner": "repobility-threat-engine", "fingerprint": "c1f0329a56c472a1b03d5d1bf1771f69f73720a1a3cfa569af90c10ee5ed5605", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1f0329a56c472a1b03d5d1bf1771f69f73720a1a3cfa569af90c10ee5ed5605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/alf/util/flatten.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 138008, "scanner": "repobility-threat-engine", "fingerprint": "a992fb71c8e48958c6549bda6bde3770b505fe8b5e6e73bfacc59941b64d6c9e", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a992fb71c8e48958c6549bda6bde3770b505fe8b5e6e73bfacc59941b64d6c9e"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "properties": {"repobilityId": 138005, "scanner": "repobility-threat-engine", "fingerprint": "a0f25a3cfce8ca54b62bb7a645bef7efad23074c3e3aa339bba10057a874ee8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 55 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a0f25a3cfce8ca54b62bb7a645bef7efad23074c3e3aa339bba10057a874ee8b", "aggregated_count": 55}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 138004, "scanner": "repobility-threat-engine", "fingerprint": "4be0c54e093e554e5b7868aa1619fbbe22e5dfcf39f332a2372a5acb6066318a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4be0c54e093e554e5b7868aa1619fbbe22e5dfcf39f332a2372a5acb6066318a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Dialog/index.web.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 138003, "scanner": "repobility-threat-engine", "fingerprint": "281df063baafe32ce71606cf332d23af894fd6305640df2b13517161dad7271f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|281df063baafe32ce71606cf332d23af894fd6305640df2b13517161dad7271f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/analytics/metrics/client.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 138002, "scanner": "repobility-threat-engine", "fingerprint": "a161afabf6c2c1073dace0adabeb5a3e10e349bcd7cd67db43a6a1c92ed48b08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a161afabf6c2c1073dace0adabeb5a3e10e349bcd7cd67db43a6a1c92ed48b08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/expo-bluesky-swiss-army/src/SharedPrefs/index.native.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 137997, "scanner": "repobility-threat-engine", "fingerprint": "a3baa3b538f431ec0130c37c28bfdca6104f991f6904a4e7c3c4a2ca1714caaf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3baa3b538f431ec0130c37c28bfdca6104f991f6904a4e7c3c4a2ca1714caaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyweb/cmd/embedr/server.go"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 137995, "scanner": "repobility-threat-engine", "fingerprint": "97882b0178514d7cc3693b1dab165d83113c61038fb49519a89bd890997a6da3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|97882b0178514d7cc3693b1dab165d83113c61038fb49519a89bd890997a6da3", "aggregated_count": 26}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 137994, "scanner": "repobility-threat-engine", "fingerprint": "3050997c986e4181922435409012748704687b622545587a3b436987b574118b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3050997c986e4181922435409012748704687b622545587a3b436987b574118b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/alf/typography.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 137993, "scanner": "repobility-threat-engine", "fingerprint": "0298b05926b7dad80829411bcec8f6e9429ae97c4a6b6ace88e453a60fbb87de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0298b05926b7dad80829411bcec8f6e9429ae97c4a6b6ace88e453a60fbb87de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyogcard/src/components/StarterPack.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 137992, "scanner": "repobility-threat-engine", "fingerprint": "38360f3a42c8e92eb5a8b257e5db7637e69c5d86bfe740cdb63bb8ae96e466b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38360f3a42c8e92eb5a8b257e5db7637e69c5d86bfe740cdb63bb8ae96e466b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyogcard/src/components/AvatarBubbles.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 137991, "scanner": "repobility-threat-engine", "fingerprint": "cf68cf9377aad3acda312d8a5b9d50a51ce4828ee09935bfa8adf9a177a64306", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf68cf9377aad3acda312d8a5b9d50a51ce4828ee09935bfa8adf9a177a64306"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Signup/StepInfo/Policies.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 137990, "scanner": "repobility-threat-engine", "fingerprint": "423af389117edc06ca90f3395d11b51ea80b3056c775358b5a8dd2d92964ed79", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|423af389117edc06ca90f3395d11b51ea80b3056c775358b5a8dd2d92964ed79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/dialogs/ServerInput.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 137989, "scanner": "repobility-threat-engine", "fingerprint": "2a08d2e8601bc002afe22f9ea6ced56a67a8b5ea9dbdde62a3c813c65b96a5ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a08d2e8601bc002afe22f9ea6ced56a67a8b5ea9dbdde62a3c813c65b96a5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/routes/createShortLink.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 137988, "scanner": "repobility-threat-engine", "fingerprint": "79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 137984, "scanner": "repobility-threat-engine", "fingerprint": "520097e17d2eb3174ba7a154e276e385d41d66c2949c4b1cec4cf850eeae9ec4", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|bskylink/src/metrics.ts|79|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/metrics.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 137983, "scanner": "repobility-threat-engine", "fingerprint": "fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 137979, "scanner": "repobility-threat-engine", "fingerprint": "6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "aggregated_count": 23}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137978, "scanner": "repobility-threat-engine", "fingerprint": "8178bcf722ff767000b637c66a11ae96160dec92603fd954386d2d1191fb6478", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8178bcf722ff767000b637c66a11ae96160dec92603fd954386d2d1191fb6478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/bin.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137977, "scanner": "repobility-threat-engine", "fingerprint": "21e9770c7d1f45d0dd4b627587f824ed5df62c18462e21058d28a4cf5b5843e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21e9770c7d1f45d0dd4b627587f824ed5df62c18462e21058d28a4cf5b5843e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/screens/post.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137976, "scanner": "repobility-threat-engine", "fingerprint": "b260a18d7d02b81b210ca48ef02fbc12dc7a4dcc0fa120dbe0d95eda0cfcc596", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b260a18d7d02b81b210ca48ef02fbc12dc7a4dcc0fa120dbe0d95eda0cfcc596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/screens/landing.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 137975, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 137971, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 137967, "scanner": "repobility-threat-engine", "fingerprint": "865cb3834a6882e47bf889447d15e77baf427da486981a5f0523dae924f0cd82", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|865cb3834a6882e47bf889447d15e77baf427da486981a5f0523dae924f0cd82"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138116, "scanner": "repobility-supply-chain", "fingerprint": "26498cb88e1cf7c91efd286c6771ad2ec178f2044d674f604e0ecf27f43ad825", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26498cb88e1cf7c91efd286c6771ad2ec178f2044d674f604e0ecf27f43ad825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138115, "scanner": "repobility-supply-chain", "fingerprint": "c428e85ec5cf35028c3272b792026e70a3225da0ef835032ea81fb75be33c560", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c428e85ec5cf35028c3272b792026e70a3225da0ef835032ea81fb75be33c560"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138114, "scanner": "repobility-supply-chain", "fingerprint": "c07b080c47ee33a067784bb5c59bde29bbf703dfe058d7fc85ea18e24e878749", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c07b080c47ee33a067784bb5c59bde29bbf703dfe058d7fc85ea18e24e878749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138113, "scanner": "repobility-supply-chain", "fingerprint": "e817bec92c34ebaf684ac20b0aea343ec9edaee48c8a1ae5e62fdf99424a4441", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e817bec92c34ebaf684ac20b0aea343ec9edaee48c8a1ae5e62fdf99424a4441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `maxim-lobanov/setup-cocoapods` pinned to mutable ref `@v1`: `uses: maxim-lobanov/setup-cocoapods@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138112, "scanner": "repobility-supply-chain", "fingerprint": "4d0e7c51fefa11481fc48fe4d806cf54f64ba6fa88da4ae61c5b5388bc8ac8b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d0e7c51fefa11481fc48fe4d806cf54f64ba6fa88da4ae61c5b5388bc8ac8b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `maxim-lobanov/setup-xcode` pinned to mutable ref `@v1`: `uses: maxim-lobanov/setup-xcode@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138111, "scanner": "repobility-supply-chain", "fingerprint": "bb59c15935130a845dcbbce77c8255c0534552f88b1682d10d294f10081058a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb59c15935130a845dcbbce77c8255c0534552f88b1682d10d294f10081058a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `expo/expo-github-action` pinned to mutable ref `@v9`: `uses: expo/expo-github-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138110, "scanner": "repobility-supply-chain", "fingerprint": "da084162e41c245361db633d3227d081582dff305eef232b93440c7bbb06ed4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da084162e41c245361db633d3227d081582dff305eef232b93440c7bbb06ed4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138109, "scanner": "repobility-supply-chain", "fingerprint": "ed50cebadffa104fdf313a359e8461cfeb135c9235ec79f5d5d988cbc203fb88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed50cebadffa104fdf313a359e8461cfeb135c9235ec79f5d5d988cbc203fb88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138108, "scanner": "repobility-supply-chain", "fingerprint": "7e89a8ebe49956f28dafffb809b0c0a3a5714cbc1747f05659c6538dfb71ed1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e89a8ebe49956f28dafffb809b0c0a3a5714cbc1747f05659c6538dfb71ed1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138107, "scanner": "repobility-supply-chain", "fingerprint": "33aa8271e398f7491048a1a14807f6a53d550f77b264ac0a7274db7449931980", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33aa8271e398f7491048a1a14807f6a53d550f77b264ac0a7274db7449931980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138106, "scanner": "repobility-supply-chain", "fingerprint": "aebdbc096e481a313badf0bd6354fc045978789b37f1afe65df88063f0e6665e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aebdbc096e481a313badf0bd6354fc045978789b37f1afe65df88063f0e6665e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dcarbone/install-jq-action` pinned to mutable ref `@v2`: `uses: dcarbone/install-jq-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138105, "scanner": "repobility-supply-chain", "fingerprint": "746e6f93c94ef0eb6a5d78b36dbe06ff80e1a30c1037321ffbcb01e4ea72d715", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|746e6f93c94ef0eb6a5d78b36dbe06ff80e1a30c1037321ffbcb01e4ea72d715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `expo/expo-github-action` pinned to mutable ref `@v9`: `uses: expo/expo-github-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138104, "scanner": "repobility-supply-chain", "fingerprint": "3e7d4debd1bb30b45fc96718bc214a960bfe3786e1e2d784c492fa7cf71ea226", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e7d4debd1bb30b45fc96718bc214a960bfe3786e1e2d784c492fa7cf71ea226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bluesky-social/github-actions/fingerprint-native` pinned to mutable ref `@main`: `uses: bluesky-social/github-actions/fingerprint-native@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138103, "scanner": "repobility-supply-chain", "fingerprint": "0d2df7b17c93fa8907ef1ef8a8f8ec4d59377f41711b2e1a3eef3bf97896e836", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d2df7b17c93fa8907ef1ef8a8f8ec4d59377f41711b2e1a3eef3bf97896e836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138102, "scanner": "repobility-supply-chain", "fingerprint": "44049b1d974cea9ae189a5dee43a66dc5f356fdee22d8e141c57e2b600839790", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44049b1d974cea9ae189a5dee43a66dc5f356fdee22d8e141c57e2b600839790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138101, "scanner": "repobility-supply-chain", "fingerprint": "16438c3f0529815a98f42e739c4d29fe13454023aee39c71d8a302ff041e4291", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16438c3f0529815a98f42e739c4d29fe13454023aee39c71d8a302ff041e4291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138100, "scanner": "repobility-supply-chain", "fingerprint": "217e0a7a0bce4d5434005167b4a547ded2e7b72d8eb3de428235281d43fe43e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|217e0a7a0bce4d5434005167b4a547ded2e7b72d8eb3de428235281d43fe43e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-deploy-eas-update.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138099, "scanner": "repobility-supply-chain", "fingerprint": "c86e1f6e4335a4dac063267736ec9d4c8a005416a59800016199da459a18c7b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c86e1f6e4335a4dac063267736ec9d4c8a005416a59800016199da459a18c7b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-push-embedr-aws.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138098, "scanner": "repobility-supply-chain", "fingerprint": "7e36dbc68dac7b25f417dc6ae548084040b201106841185a9da0ff7c0ad93451", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e36dbc68dac7b25f417dc6ae548084040b201106841185a9da0ff7c0ad93451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-pnpm-lock.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138097, "scanner": "repobility-supply-chain", "fingerprint": "bfa104c6ef435a4dfb6e679fb0159d7f8dea70c9ff9dc7763fa1fbe8fe40355a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfa104c6ef435a4dfb6e679fb0159d7f8dea70c9ff9dc7763fa1fbe8fe40355a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-pnpm-lock.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138096, "scanner": "repobility-supply-chain", "fingerprint": "256483c7de1894c370d0daea28fbce690346844ad8167f8912a170c8a79a3e11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|256483c7de1894c370d0daea28fbce690346844ad8167f8912a170c8a79a3e11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-pnpm-lock.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138095, "scanner": "repobility-supply-chain", "fingerprint": "ee700fdd9fe2022a397ce4bff28e9ce9eddccb030b4d479466d06761aee7c3e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee700fdd9fe2022a397ce4bff28e9ce9eddccb030b4d479466d06761aee7c3e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang-test-lint.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138094, "scanner": "repobility-supply-chain", "fingerprint": "7ff5078de55c146b6b4b13e2454a260362ad33ebfcb5058783b56eb17fbfccaf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ff5078de55c146b6b4b13e2454a260362ad33ebfcb5058783b56eb17fbfccaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang-test-lint.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138093, "scanner": "repobility-supply-chain", "fingerprint": "5b6df4187fd66e57cdd411a434993d6e8d4390903d1463c22874c459bf98fafb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b6df4187fd66e57cdd411a434993d6e8d4390903d1463c22874c459bf98fafb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang-test-lint.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 138092, "scanner": "repobility-supply-chain", "fingerprint": "4ffa98515c517292c9f7786367044f2b7162a46288070c1b44e364953f1c2a39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ffa98515c517292c9f7786367044f2b7162a46288070c1b44e364953f1c2a39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang-test-lint.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138091, "scanner": "repobility-supply-chain", "fingerprint": "eef7afdeb0014ada54337788969a767b969f2f486095f859a3d60878bd9f83f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eef7afdeb0014ada54337788969a767b969f2f486095f859a3d60878bd9f83f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26-bookworm` not pinned by digest: `FROM golang:1.26-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138090, "scanner": "repobility-supply-chain", "fingerprint": "45a97fcda871f9a77299215b0fb3ea5ae900ee8043e2b07537b7e5fd4b5298b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45a97fcda871f9a77299215b0fb3ea5ae900ee8043e2b07537b7e5fd4b5298b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138089, "scanner": "repobility-supply-chain", "fingerprint": "1e6946095b28551e0feb276e0b9aed78f7e54e2dcacb6cff8aa1e9a08a93a5c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e6946095b28551e0feb276e0b9aed78f7e54e2dcacb6cff8aa1e9a08a93a5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26-bookworm` not pinned by digest: `FROM golang:1.26-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138088, "scanner": "repobility-supply-chain", "fingerprint": "08961389312ee2474ba3123e53faea6f62b964207591189df852874ad96f2ad5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08961389312ee2474ba3123e53faea6f62b964207591189df852874ad96f2ad5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/pnpm/pnpm:11` not pinned by digest: `FROM ghcr.io/pnpm/pnpm:11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138087, "scanner": "repobility-supply-chain", "fingerprint": "58aee73f8b713da38e860dda4a512f2bd6baf8732a19f42a7aa81b8ce0e3e4f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58aee73f8b713da38e860dda4a512f2bd6baf8732a19f42a7aa81b8ce0e3e4f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.15.0-alpine3.22` not pinned by digest: `FROM node:24.15.0-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138086, "scanner": "repobility-supply-chain", "fingerprint": "bf2309464fd6b7108a73aee787b799bb172a6459d89c1dc26dc8c17dfbb9c3bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf2309464fd6b7108a73aee787b799bb172a6459d89c1dc26dc8c17dfbb9c3bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.bskylink"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.15.0-alpine3.22` not pinned by digest: `FROM node:24.15.0-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138085, "scanner": "repobility-supply-chain", "fingerprint": "939631ca089c3032e79df15498d40e8f8dab5be4e1755bdff209a6ab7d7fd968", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|939631ca089c3032e79df15498d40e8f8dab5be4e1755bdff209a6ab7d7fd968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.bskylink"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-bsky-internal` pulled from URL/Git: `devDependencies.eslint-plugin-bsky-internal` = `link:eslint` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 138084, "scanner": "repobility-supply-chain", "fingerprint": "b5546c04f6240563062ca50bd5640ba5c0b4858dd88f220e5a82452e25aae582", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5546c04f6240563062ca50bd5640ba5c0b4858dd88f220e5a82452e25aae582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.15.0-alpine3.22` not pinned by digest: `FROM node:24.15.0-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138083, "scanner": "repobility-supply-chain", "fingerprint": "e30beed25ec1f558ad4346437c7c27d654fce1493038e193b612ab90a79c0c33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e30beed25ec1f558ad4346437c7c27d654fce1493038e193b612ab90a79c0c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.bskyogcard"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.15.0-alpine3.22` not pinned by digest: `FROM node:24.15.0-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 138082, "scanner": "repobility-supply-chain", "fingerprint": "91c259178535d861b2db731e680156b23a095e74d22aa80f005e70d374b985ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91c259178535d861b2db731e680156b23a095e74d22aa80f005e70d374b985ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.bskyogcard"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /link has no auth: Express route POST /link declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 138081, "scanner": "repobility-route-auth", "fingerprint": "08ae0bd49e8aacc987fe4663345451e41ae7823eb1ce8d1df33665e129f4d1b2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|08ae0bd49e8aacc987fe4663345451e41ae7823eb1ce8d1df33665e129f4d1b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/routes/createShortLink.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 138076, "scanner": "repobility-docker", "fingerprint": "2f9201909e9503900ee982c46f1c7866d24524e8e4a3ae3c7ebb70b275347276", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|2f9201909e9503900ee982c46f1c7866d24524e8e4a3ae3c7ebb70b275347276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 138075, "scanner": "repobility-docker", "fingerprint": "1c01f7e796ceb6b808eb482c67b011de7693eaa6743364c8e5f4de3d550c4c84", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1c01f7e796ceb6b808eb482c67b011de7693eaa6743364c8e5f4de3d550c4c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 138073, "scanner": "repobility-docker", "fingerprint": "c00ff6d0d8a2b760d5b6c17d574844646351e8104083a2f0d94cb055bae3056f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db_test", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c00ff6d0d8a2b760d5b6c17d574844646351e8104083a2f0d94cb055bae3056f", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 138072, "scanner": "repobility-docker", "fingerprint": "94fde6a0536a3aca74402491dc6bc65c30a0f37280a6a9fb7af36072d8ed454d", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5433:5432", "target": "5432", "host_ip": "", "published": "5433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db_test", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|94fde6a0536a3aca74402491dc6bc65c30a0f37280a6a9fb7af36072d8ed454d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 138070, "scanner": "repobility-docker", "fingerprint": "9c57a7a130b0d2c8da95ca62547b219f5c698b4b293500815be1d7eb068501cf", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|9c57a7a130b0d2c8da95ca62547b219f5c698b4b293500815be1d7eb068501cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/tests/infra/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 138068, "scanner": "repobility-docker", "fingerprint": "557f079f109a39591bdea6a54f5aeeacb84fbc8b96f4b38ae54027c2191acd71", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db_test", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|557f079f109a39591bdea6a54f5aeeacb84fbc8b96f4b38ae54027c2191acd71", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/tests/infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 138067, "scanner": "repobility-docker", "fingerprint": "3a513632460edf9be999c95dc94b93118034dfb1e9d3d599a1a964cc8d551fd5", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5433:5432", "target": "5432", "host_ip": "", "published": "5433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db_test", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|3a513632460edf9be999c95dc94b93118034dfb1e9d3d599a1a964cc8d551fd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/tests/infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 138061, "scanner": "repobility-docker", "fingerprint": "8dc91d6f076fd7aafc801b73edcbca2df9c19c7bcc8202d6f86dd37ac4688b3a", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8dc91d6f076fd7aafc801b73edcbca2df9c19c7bcc8202d6f86dd37ac4688b3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.embedr"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 138055, "scanner": "repobility-docker", "fingerprint": "359dd4a1c5f26b61711b8260b1d4419f876ed61780712be56968dd1fd7187ca3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|359dd4a1c5f26b61711b8260b1d4419f876ed61780712be56968dd1fd7187ca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 138028, "scanner": "repobility-threat-engine", "fingerprint": "d61094d6c2f99fd056e404add787ae33c6e032946715e2c76a4aec3a485ee6e9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([name, value]) => `${name}:${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d61094d6c2f99fd056e404add787ae33c6e032946715e2c76a4aec3a485ee6e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/screens/Search/utils.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 138023, "scanner": "repobility-threat-engine", "fingerprint": "46c77d590b257af008e09b0727d31dc811e7a2769d4094aedff45a271e5dc9dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(CASHTAG_REGEX", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46c77d590b257af008e09b0727d31dc811e7a2769d4094aedff45a271e5dc9dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/view/com/composer/text-input/web/TagDecorator.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 138022, "scanner": "repobility-threat-engine", "fingerprint": "73f0539595fa98403e06464ba71561c85bd75de8b3fdc6a2e5adb7a07a56e7ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(filter", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73f0539595fa98403e06464ba71561c85bd75de8b3fdc6a2e5adb7a07a56e7ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/logger/index.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED028", "level": "error", "message": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "properties": {"repobilityId": 138021, "scanner": "repobility-threat-engine", "fingerprint": "17baaae99538409b0936368802b4e1ab22f7540a4ebbef991a7503593e917960", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-ignore-comment", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347964+00:00", "triaged_in_corpus": 15, "observations_count": 9364, "ai_coder_pattern_id": 99}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17baaae99538409b0936368802b4e1ab22f7540a4ebbef991a7503593e917960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/forms/InputGroup.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 138020, "scanner": "repobility-threat-engine", "fingerprint": "461898ec90ba538bd7614a9ed25f306e14c071501c12335095e52d5044034e20", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[params.source] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|461898ec90ba538bd7614a9ed25f306e14c071501c12335095e52d5044034e20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Post/Embed/ExternalEmbed/ExternalPlayer.tsx"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 138019, "scanner": "repobility-threat-engine", "fingerprint": "9ccb5946fd5796cfd2f2b154af9f3bd669967ae3e5da8b61b7efbf6f901b945d", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[params.source] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ccb5946fd5796cfd2f2b154af9f3bd669967ae3e5da8b61b7efbf6f901b945d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/Post/Embed/ExternalEmbed/ExternalGif.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 138009, "scanner": "repobility-threat-engine", "fingerprint": "096d912770bedf5aff635847bc601722ba1a01022d2547c31b30a72514d6618d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|096d912770bedf5aff635847bc601722ba1a01022d2547c31b30a72514d6618d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bundleUpdate.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 138007, "scanner": "repobility-threat-engine", "fingerprint": "4e272546c1a0f450c066a2c8809e53dbcfecfb7367b27a6a462a6359b671f567", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(\n      config.modRequest", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|10|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/notificationsExtension/withExtensionViewController.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 138006, "scanner": "repobility-threat-engine", "fingerprint": "da7e7c8eb3b66cfdc7d460a9fae391aea2748f6bbb6f00d2cafd287956c8b92a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "path.join(\n      config.modRequest", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|8|sec114", "duplicate_count": 1, "duplicate_rule_ids": ["SEC114"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["c7a8a952a39544722540c938107a92b0e5d8f1ab61d38dd804e395358b810893", "da7e7c8eb3b66cfdc7d460a9fae391aea2748f6bbb6f00d2cafd287956c8b92a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/notificationsExtension/withExtensionEntitlements.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 138001, "scanner": "repobility-threat-engine", "fingerprint": "dbc6fd9570965a7584a00d419a6f255bea5dcc5a272c00e6b029f599f56e5d2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbc6fd9570965a7584a00d419a6f255bea5dcc5a272c00e6b029f599f56e5d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/expo-bluesky-swiss-army/android/src/main/java/expo/modules/blueskyswissarmy/visibilityview/VisibilityViewManager.kt"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137982, "scanner": "repobility-threat-engine", "fingerprint": "69f399515370b005f94bf6522b9b12eeac290526f9d4b8f2c2dac4774da2401c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69f399515370b005f94bf6522b9b12eeac290526f9d4b8f2c2dac4774da2401c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/bottom-sheet/ios/SheetView.swift"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137981, "scanner": "repobility-threat-engine", "fingerprint": "2ab1e508d4e7ef86f7a8be6c9dde2a79288a4d2416f91958f75144a8f208db52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "workers.delete(worker)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ab1e508d4e7ef86f7a8be6c9dde2a79288a4d2416f91958f75144a8f208db52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyogcard/src/bin.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137980, "scanner": "repobility-threat-engine", "fingerprint": "9fac95424a4522db93da1aa2516700810f2572982721090fe3279fdae4611389", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.domainCache.delete(rule.url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9fac95424a4522db93da1aa2516700810f2572982721090fe3279fdae4611389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/cache/safelinkClient.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137974, "scanner": "repobility-threat-engine", "fingerprint": "e9a655382700c23885efc8389efc04718905b6a62d9d6ba0126f0f1ce98e9ccd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(uri", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9a655382700c23885efc8389efc04718905b6a62d9d6ba0126f0f1ce98e9ccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/state/gallery.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137973, "scanner": "repobility-threat-engine", "fingerprint": "b163e41e2777416968013a410a1797ae0afcf5da5fd5bf891fc11f2523b7d84a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b163e41e2777416968013a410a1797ae0afcf5da5fd5bf891fc11f2523b7d84a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/dialogs/Embed.tsx"}, "region": {"startLine": 224}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137972, "scanner": "repobility-threat-engine", "fingerprint": "9dc4d20327487922d647d491fd17fa0e1e2783aacd871450cafa2bc67a05f88a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9dc4d20327487922d647d491fd17fa0e1e2783aacd871450cafa2bc67a05f88a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/screens/landing.tsx"}, "region": {"startLine": 311}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137966, "scanner": "repobility-threat-engine", "fingerprint": "19a9b09f1ad564df14ceda39b8c80c975f36475a1a8c848445138d0d445b1e4b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (L", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19a9b09f1ad564df14ceda39b8c80c975f36475a1a8c848445138d0d445b1e4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/config.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137965, "scanner": "repobility-threat-engine", "fingerprint": "301056e7430ee08de2fa7898dbb0848311d35bf9a5fd3ebfd95320416796f797", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|301056e7430ee08de2fa7898dbb0848311d35bf9a5fd3ebfd95320416796f797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskylink/src/cache/safelinkClient.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137964, "scanner": "repobility-threat-engine", "fingerprint": "b50caa6d8150bf3e1b1a2a904f8af9ff415285ea4ece41cf11dadf6539c0a285", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b50caa6d8150bf3e1b1a2a904f8af9ff415285ea4ece41cf11dadf6539c0a285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bskyembed/src/screens/landing.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 138074, "scanner": "repobility-docker", "fingerprint": "302495e7cab9e608f90dd280da6135635f1f726115071d0fb2c66881223a29c9", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|302495e7cab9e608f90dd280da6135635f1f726115071d0fb2c66881223a29c9", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 138071, "scanner": "repobility-docker", "fingerprint": "c8d9ebc6fbf7dd50c54d3b73e611e54801853218945d0823061f97a398ef5096", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db_test", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|c8d9ebc6fbf7dd50c54d3b73e611e54801853218945d0823061f97a398ef5096", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 138010, "scanner": "repobility-threat-engine", "fingerprint": "965b9c059e7bc0ceb65361cc18a75fa97b8d8dd2fcc8eb48d6dee5b661ce5e43", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(\n  path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|965b9c059e7bc0ceb65361cc18a75fa97b8d8dd2fcc8eb48d6dee5b661ce5e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/post-web-build.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 137999, "scanner": "repobility-threat-engine", "fingerprint": "2de36a42551ea9fdab3930cde67721cc96e34fa0b605ab61cfcb827381458b67", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://pg:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|2|postgresql://pg:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-env/dev-infra/_common.sh"}, "region": {"startLine": 29}}}]}]}]}