{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED078", "name": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file.", "shortDescription": {"text": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 72 more): Same pattern found in 72 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 129 more): Same pattern found in 129 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 129 more): Same pattern found in 129 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:10-slim` not pinned by digest: `FROM node:10-slim` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:10-slim` not pinned by digest: `FROM node:10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM node:10-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `pullreminders/slack-action` pinned to mutable ref `@master`: `uses: pullreminders/slack-action@master", "shortDescription": {"text": "[MINED115] Action `pullreminders/slack-action` pinned to mutable ref `@master`: `uses: pullreminders/slack-action@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/change"}, "fullDescription": {"text": "Replace with: `uses: pullreminders/slack-action@<40-char-sha>  # master` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/917"}, "properties": {"repository": "gatsbyjs/gatsby", "repoUrl": "https://github.com/gatsbyjs/gatsby", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 86146, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 86145, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 86141, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 86132, "scanner": "repobility-docker", "fingerprint": "2f3f5f7b29b377634ef1ffa9a61f5bf5e6f4649ccbb689aff733b7b992abc1f9", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2f3f5f7b29b377634ef1ffa9a61f5bf5e6f4649ccbb689aff733b7b992abc1f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86129, "scanner": "repobility-docker", "fingerprint": "5a946d2ade000c23252ecbbd66958c9332c68f104a15410e4297d78ce867787e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "wordpress:6.1", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a946d2ade000c23252ecbbd66958c9332c68f104a15410e4297d78ce867787e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker/wordpress/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86127, "scanner": "repobility-docker", "fingerprint": "9d9786ac8447220435244f9f0c2c2d97d696d57ebccd1f13a2d4ae04d2d3a024", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-buster", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9d9786ac8447220435244f9f0c2c2d97d696d57ebccd1f13a2d4ae04d2d3a024"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86122, "scanner": "repobility-docker", "fingerprint": "7ff4c12b6edb3fcf522675fb8fb0f1bf5dc223bd9e294f43c998478bf9266dea", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:10-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7ff4c12b6edb3fcf522675fb8fb0f1bf5dc223bd9e294f43c998478bf9266dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/high-priority-prs/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 86121, "scanner": "repobility-docker", "fingerprint": "c00b979abb69f3cb49efa1b3215ec0551b0ed7caef50057768fa6b0e63f3c692", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c00b979abb69f3cb49efa1b3215ec0551b0ed7caef50057768fa6b0e63f3c692", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/high-priority-prs/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86119, "scanner": "repobility-docker", "fingerprint": "d1bb088e19fec999ccd1cb7c6d8b1221a32e5861b180f8d27d5c1c2a1793c290", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:10-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d1bb088e19fec999ccd1cb7c6d8b1221a32e5861b180f8d27d5c1c2a1793c290"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/gatsby-site-showcase-validator/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 86118, "scanner": "repobility-docker", "fingerprint": "7e5326d3c6c6e60c7c679fd5fb4456dab04298e3ed77c33da65afecfbaa922f4", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7e5326d3c6c6e60c7c679fd5fb4456dab04298e3ed77c33da65afecfbaa922f4", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/gatsby-site-showcase-validator/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 86117, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "integration-tests/gatsby-source-wordpress/docker/seed/backup.sql", "size_mb": 1.8}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 86116, "scanner": "repobility-agent-runtime", "fingerprint": "af291d976c91012634b7281aedce878c33b2f226f4d5211386b9239738a8c24e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|af291d976c91012634b7281aedce878c33b2f226f4d5211386b9239738a8c24e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs/how-to/local-development/gatsby-on-linux.md"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86053, "scanner": "repobility-threat-engine", "fingerprint": "b7f14e168783a0f0326c7b389f32a7146080f1f0730d3373c3a2108ef9daa489", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7f14e168783a0f0326c7b389f32a7146080f1f0730d3373c3a2108ef9daa489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-cli/scripts/postinstall.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86052, "scanner": "repobility-threat-engine", "fingerprint": "b3068e38b4f8b989f14cd7e759717ef4669424e28464d2bd7e1505e5a0e1cfb3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (err) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3068e38b4f8b989f14cd7e759717ef4669424e28464d2bd7e1505e5a0e1cfb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-pipeline/utils/create-devserver.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86051, "scanner": "repobility-threat-engine", "fingerprint": "baf55f63ea21baeaca3cb16c0aaae4b0c27b0facd91ff88171669be02c87e1a2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|baf55f63ea21baeaca3cb16c0aaae4b0c27b0facd91ff88171669be02c87e1a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-admin/src/utils/use-telemetry.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86046, "scanner": "repobility-threat-engine", "fingerprint": "1c15b50d5e8db2ad390337924ace7276c632a22a5e3bccdd38d160d35323018f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "TOKEN,\n  useCdn: false,\n})\n\nconst randomDoc = Math.floor(\n  Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c15b50d5e8db2ad390337924ace7276c632a22a5e3bccdd38d160d35323018f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-sanity/update-post.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86045, "scanner": "repobility-threat-engine", "fingerprint": "f61c6bb56824de445e95c0224a957cb79f3ad507a03e3b6c4380d5becfe7a930", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "KEY, // Management API token\n  });\n\n  try {\n\n    const randomDoc = Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f61c6bb56824de445e95c0224a957cb79f3ad507a03e3b6c4380d5becfe7a930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-kontent/update-article.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 86035, "scanner": "repobility-threat-engine", "fingerprint": "b5584e75bd4610b503f56286f1e4a76d0c552148025602b2945e26681dc12466", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = itemPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5584e75bd4610b503f56286f1e4a76d0c552148025602b2945e26681dc12466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-agilitycms/src/agility/components/DynamicPreviewPage.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86009, "scanner": "repobility-threat-engine", "fingerprint": "72d268a578848d56221ad4a6e5914c94d22c909eb27e2d237a95d1d53a0e826a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|29|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-agilitycms/src/agility/components/DynamicPreviewPage.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86008, "scanner": "repobility-threat-engine", "fingerprint": "f2a3b79768fa190269b1c31c73f12c3d922a724d49a243ed4a260ed2d5bfcb6d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/scripts/test.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86007, "scanner": "repobility-threat-engine", "fingerprint": "6092b53e1156a48065aae845d4f5e4105b78d38a18d2af0e233c446051ec2536", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/scripts/test-suite.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 86147, "scanner": "repobility-web-presence", "fingerprint": "d2ffea3ba4f388f9292e83f371ae2a1711c980b5fc45fe95b01be1d50ff67b39", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|d2ffea3ba4f388f9292e83f371ae2a1711c980b5fc45fe95b01be1d50ff67b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-markdown/static/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 86144, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 86143, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 86142, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 86140, "scanner": "repobility-docker", "fingerprint": "3a00dc590b80d979bacbe9e8a9f16d2cd182119c181a06de3cf33857d08313a5", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "wordpress-cli", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3a00dc590b80d979bacbe9e8a9f16d2cd182119c181a06de3cf33857d08313a5", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 86139, "scanner": "repobility-docker", "fingerprint": "43a95cde1735bd9c74b271d359fcc657080004d121e320d1c34b28cd8041fd96", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wordpress-cli", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|43a95cde1735bd9c74b271d359fcc657080004d121e320d1c34b28cd8041fd96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 86137, "scanner": "repobility-docker", "fingerprint": "1473872c64126f05a6f3582e25c468010b51e52098ba0c57680736be353afbdb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wordpress-cli", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1473872c64126f05a6f3582e25c468010b51e52098ba0c57680736be353afbdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 86136, "scanner": "repobility-docker", "fingerprint": "75737ac06eeac654a2aca25c93785ee9a1572457eed6609cd06cca52e563622c", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "wordpress", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|75737ac06eeac654a2aca25c93785ee9a1572457eed6609cd06cca52e563622c", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 86135, "scanner": "repobility-docker", "fingerprint": "9404234cfc887dc852995539640835173724e48772d7401ca7c363d7f555721b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9404234cfc887dc852995539640835173724e48772d7401ca7c363d7f555721b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 86133, "scanner": "repobility-docker", "fingerprint": "6cbff43c64ee9b14b143cbebfc5eb6147372ed3021c6e0c37eca1feafc9f80bb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6cbff43c64ee9b14b143cbebfc5eb6147372ed3021c6e0c37eca1feafc9f80bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86128, "scanner": "repobility-docker", "fingerprint": "bc6cf15494f447ea193c9e10d00f7811222a0b79797f0c8f3f5c82f5cd53ff4a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bc6cf15494f447ea193c9e10d00f7811222a0b79797f0c8f3f5c82f5cd53ff4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker/wordpress/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86126, "scanner": "repobility-docker", "fingerprint": "b3db4fbf5b90e73467bdaa8377f4b6fc54198ea7e3072cbac422ad013effa9a2", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b3db4fbf5b90e73467bdaa8377f4b6fc54198ea7e3072cbac422ad013effa9a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 86125, "scanner": "repobility-docker", "fingerprint": "d3429e564ef2856959ce396e36bc861777dce63f378cce4d5415a6ca86eafdc2", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d3429e564ef2856959ce396e36bc861777dce63f378cce4d5415a6ca86eafdc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86124, "scanner": "repobility-docker", "fingerprint": "03b0cb25acc0760955b203b29efdc3be0c4da29a1cafecdcd314dcd392fecc29", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|03b0cb25acc0760955b203b29efdc3be0c4da29a1cafecdcd314dcd392fecc29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 86123, "scanner": "repobility-docker", "fingerprint": "1b113d8f61f27951344c99d6e841849e4f99cacfa79f14a35dabf93a57deca2b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1b113d8f61f27951344c99d6e841849e4f99cacfa79f14a35dabf93a57deca2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 86120, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86115, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bac6d34fbcaa370218807d4df13ba8487401656e1301cefbbdc66916634711da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-no-trailing-slash-A-to-B-to-A-history/page-A.js", "duplicate_line": 5, "correlation_key": "fp|bac6d34fbcaa370218807d4df13ba8487401656e1301cefbbdc66916634711da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-no-trailing-slash-A-to-B-to-A-link/page-A.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86114, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cec1e8ad07f982ddb6ba011717e09fdad893360dde915a5cfd5268054e538bc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-CO-to-B-to-CO-history/page-B.js", "duplicate_line": 5, "correlation_key": "fp|cec1e8ad07f982ddb6ba011717e09fdad893360dde915a5cfd5268054e538bc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-no-trailing-slash-A-to-B-to-A-history/page-B.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86113, "scanner": "repobility-ai-code-hygiene", "fingerprint": "398ff44d01c9181afabbb43335198c068ea11d27a4201026833bf4e123a6d46d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-CO-to-B-to-CO-history/[client-only].js", "duplicate_line": 5, "correlation_key": "fp|398ff44d01c9181afabbb43335198c068ea11d27a4201026833bf4e123a6d46d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/query-data-caches/page-query-CO-to-B-to-CO-link/[client-only].js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86112, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b062e30b670f592eff7b702ce67e1ebced392889b0ae40e89193da375336a692", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/head-function-export/page-query.js", "duplicate_line": 24, "correlation_key": "fp|b062e30b670f592eff7b702ce67e1ebced392889b0ae40e89193da375336a692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/head-function-export/ssr.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86111, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74e28df509b73c5e4588553403fbad839d4bf56721901096143b89163d8d0bd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/components/head-function-export.js", "duplicate_line": 23, "correlation_key": "fp|74e28df509b73c5e4588553403fbad839d4bf56721901096143b89163d8d0bd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/head-function-export/ssr.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86110, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f09af50f38104a4b04a4fd428822cf4482f2d05e90fae988ab1797720dd45979", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/components/head-function-export.js", "duplicate_line": 22, "correlation_key": "fp|f09af50f38104a4b04a4fd428822cf4482f2d05e90fae988ab1797720dd45979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/head-function-export/page-query.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86109, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8aaa8ec7c0881b4e713b81b10bb6211935c32e9919e41ae9449432633ac2647c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/components/head-function-export.js", "duplicate_line": 23, "correlation_key": "fp|8aaa8ec7c0881b4e713b81b10bb6211935c32e9919e41ae9449432633ac2647c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/head-function-export/dsg.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86108, "scanner": "repobility-ai-code-hygiene", "fingerprint": "512ca5e7e0a598ca31e80f8c861fa184ea6035b2ffec908863efcbaac0882226", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/components/head-function-export.js", "duplicate_line": 23, "correlation_key": "fp|512ca5e7e0a598ca31e80f8c861fa184ea6035b2ffec908863efcbaac0882226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/head-function-export/basic.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24de2408769ce585a3facef833c0064c17e610360b535fc335756a570b90c488", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/gatsby-script-inline-scripts.js", "duplicate_line": 23, "correlation_key": "fp|24de2408769ce585a3facef833c0064c17e610360b535fc335756a570b90c488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/gatsby-script-scripts-with-sources.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86106, "scanner": "repobility-ai-code-hygiene", "fingerprint": "778d6b801cdf2c26cbeeb41b817e0fab7cc7bb1f1d4cfa0863969cd5fc3f8618", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/gatsby-script-off-main-thread-2.js", "duplicate_line": 20, "correlation_key": "fp|778d6b801cdf2c26cbeeb41b817e0fab7cc7bb1f1d4cfa0863969cd5fc3f8618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/gatsby-script-off-main-thread.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86105, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74b830a4d803aa1f5203c993b8c94c0b73dedf6708d2515f16366265f9bf24c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/collection-routing/mutations/{FilesystemRoutesMutation.computed}.js", "duplicate_line": 1, "correlation_key": "fp|74b830a4d803aa1f5203c993b8c94c0b73dedf6708d2515f16366265f9bf24c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/collection-routing/mutations/{FilesystemRoutesMutation.slug}.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86104, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b10dfa55896c540209114ff500e1df6b7753b18f09fcde2a2a829a764b160fc9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/src/pages/collection-routing/mutations/child-{FilesystemRoutesMutationChild.computed}.js", "duplicate_line": 1, "correlation_key": "fp|b10dfa55896c540209114ff500e1df6b7753b18f09fcde2a2a829a764b160fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/collection-routing/mutations/child-{FilesystemRoutesMutationChild.slug}.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86103, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d08f5bfec058ca93bf26c9b320dc73e7ffae18da9fdb6aa66382ad7c850b36f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/src/pages/routes/sub-router/[...].jsx", "duplicate_line": 7, "correlation_key": "fp|9d08f5bfec058ca93bf26c9b320dc73e7ffae18da9fdb6aa66382ad7c850b36f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/client-only-paths.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86102, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f409671338ad0209c51f2536dd34bce238b0b3fd8269e6aade6f115fe9a674fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/contentful/src/components/layout.js", "duplicate_line": 5, "correlation_key": "fp|f409671338ad0209c51f2536dd34bce238b0b3fd8269e6aade6f115fe9a674fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/components/layout.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdb0f5d2d5c301000cc69e96f3abe7a066334512c540b76743dc3ede968b0181", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/contentful/src/components/header.js", "duplicate_line": 15, "correlation_key": "fp|bdb0f5d2d5c301000cc69e96f3abe7a066334512c540b76743dc3ede968b0181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/components/header.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a10f32388a891acba15ce1d5a0463d8f3fb2376fd850beb1af618f8375964987", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/plugins/gatsby-source-fake-data/gatsby-node.js", "duplicate_line": 1, "correlation_key": "fp|a10f32388a891acba15ce1d5a0463d8f3fb2376fd850beb1af618f8375964987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/plugins/gatsby-source-pinc-data/gatsby-node.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47a8b84ef9240409e4bd908a7999b1b63480390a9d062e356f75a35e44d269a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/plugins/gatsby-source-fake-data/api.js", "duplicate_line": 5, "correlation_key": "fp|47a8b84ef9240409e4bd908a7999b1b63480390a9d062e356f75a35e44d269a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/plugins/gatsby-source-pinc-data/api.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86098, "scanner": "repobility-ai-code-hygiene", "fingerprint": "960a83c9e929d2e8251c7198d1ce1445f69c85f8c74c1863da11b7aa5a8fc797", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/cypress/e2e/remote-file.cy.ts", "duplicate_line": 101, "correlation_key": "fp|960a83c9e929d2e8251c7198d1ce1445f69c85f8c74c1863da11b7aa5a8fc797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/cypress/integration/remote-file/gatsby-plugin-image.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a44f0d976eecd5059bea43fd332fcbaba2456638763dc2e8852e3850018a2f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/cypress/integration/hot-reloading/error-handling/page-query-result-runtime-error.js", "duplicate_line": 39, "correlation_key": "fp|0a44f0d976eecd5059bea43fd332fcbaba2456638763dc2e8852e3850018a2f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/cypress/integration/hot-reloading/error-handling/static-query-result-runtime-error.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b53cd435f16972978d43713584c394ad82d00972d1c42c1954ad3b6545e10be3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/development-runtime/cypress/integration/hot-reloading/error-handling/page-query-result-runtime-error.js", "duplicate_line": 39, "correlation_key": "fp|b53cd435f16972978d43713584c394ad82d00972d1c42c1954ad3b6545e10be3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/cypress/integration/hot-reloading/error-handling/runtime-error.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d36ab7c60df1a4386485869db192b27b7cd30f5e35342065111f48fbb49a6cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/contentful/src/pages/content-reference.js", "duplicate_line": 125, "correlation_key": "fp|9d36ab7c60df1a4386485869db192b27b7cd30f5e35342065111f48fbb49a6cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/contentful/src/pages/rich-text.js"}, "region": {"startLine": 153}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15fdfbae72f8ecebfa4f04e090873195f11d9773aa6fe769a704ebd99029970a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/gatsby-node.ts", "duplicate_line": 13, "correlation_key": "fp|15fdfbae72f8ecebfa4f04e090873195f11d9773aa6fe769a704ebd99029970a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/adapters/src/pages/routes/ssr/remote-file.jsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28e008b69093af42e909a9ac9d05f494c8fbea92e8a0b87c9776f1aa29ba93de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/src/pages/routes/ssg/remote-file.jsx", "duplicate_line": 6, "correlation_key": "fp|28e008b69093af42e909a9ac9d05f494c8fbea92e8a0b87c9776f1aa29ba93de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/adapters/src/pages/routes/ssr/remote-file.jsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31ef75410dd36e4859485b9c56f774242d87c25eb58b501c3eb3c74cf22e758b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/gatsby-node.ts", "duplicate_line": 13, "correlation_key": "fp|31ef75410dd36e4859485b9c56f774242d87c25eb58b501c3eb3c74cf22e758b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/adapters/src/pages/routes/ssg/remote-file.jsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dfc5a1c632f6d20cc1c8b88cbd10a98cbbc860b89d0749d167dc18daf560dd2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e-tests/adapters/src/pages/404.jsx", "duplicate_line": 1, "correlation_key": "fp|2dfc5a1c632f6d20cc1c8b88cbd10a98cbbc860b89d0749d167dc18daf560dd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/adapters/src/pages/500.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27f989718699e2625c567f5e3aaa5b6aabb0af0d5f7de2a8e05dd3d2ce109c2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deprecated-packages/gatsby-telemetry/src/index.ts", "duplicate_line": 49, "correlation_key": "fp|27f989718699e2625c567f5e3aaa5b6aabb0af0d5f7de2a8e05dd3d2ce109c2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-telemetry/src/telemetry.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3aadd38e047c0989bad596bc3cad87f03344f3f8771693bdefc894deed11f20d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deprecated-packages/gatsby-recipes/src/providers/npm/package-json.js", "duplicate_line": 6, "correlation_key": "fp|3aadd38e047c0989bad596bc3cad87f03344f3f8771693bdefc894deed11f20d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/providers/npm/script.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e3c75eb8cbc94922a017558e432c27f60a335cfa52063edba3db0baac200f7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deprecated-packages/gatsby-recipes/src/providers/gatsby/plugin.js", "duplicate_line": 445, "correlation_key": "fp|8e3c75eb8cbc94922a017558e432c27f60a335cfa52063edba3db0baac200f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/providers/gatsby/site-metadata.js"}, "region": {"startLine": 218}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83272afa82f93d18db6502dfadfe27fe5907da454980431f0b67a2974e5f4ae6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deprecated-packages/gatsby-recipes/src/providers/gatsby/page.js", "duplicate_line": 85, "correlation_key": "fp|83272afa82f93d18db6502dfadfe27fe5907da454980431f0b67a2974e5f4ae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/providers/gatsby/site-metadata.js"}, "region": {"startLine": 191}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a44c90c4f9ffabafb5b29ea69cd323348d34aca453f2175c289eff9ce7bd5ec3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deprecated-packages/gatsby-admin/src/components/recipes-gui/index.js", "duplicate_line": 84, "correlation_key": "fp|a44c90c4f9ffabafb5b29ea69cd323348d34aca453f2175c289eff9ce7bd5ec3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/cli/index.js"}, "region": {"startLine": 325}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 86085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "562477e1836fb6c63143885bb2bf5d2d525be3cdd81071efbe53e00912fbb131", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|562477e1836fb6c63143885bb2bf5d2d525be3cdd81071efbe53e00912fbb131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/cypress/integration/functionality/data-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 86084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12b5896d75ead10521a43a3b1bbe6e17b420c3d84e711d34d3105460c1e3564d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|12b5896d75ead10521a43a3b1bbe6e17b420c3d84e711d34d3105460c1e3564d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-theme/gatsby-theme-new.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86017, "scanner": "repobility-threat-engine", "fingerprint": "aa467ef25eb4a282f6aaa86a4bb94309239bddab1ec03d04dd047f585ef06a53", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Finished preparing \" + N + \" articles\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa467ef25eb4a282f6aaa86a4bb94309239bddab1ec03d04dd047f585ef06a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-fs-markdown-images/gen.js"}, "region": {"startLine": 285}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86016, "scanner": "repobility-threat-engine", "fingerprint": "b77a4ea80e6e06101c1322f76b31581aa891a9a3fadc8481a9fc50e2d1047860", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Now generating \" + N + \" articles into\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b77a4ea80e6e06101c1322f76b31581aa891a9a3fadc8481a9fc50e2d1047860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-text/gen.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86015, "scanner": "repobility-threat-engine", "fingerprint": "3e865ae0ea0e3ac3b688e98431338e5b31912b63de74c3d54a128a72e8f36223", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Now generating \" + N + \" articles into\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e865ae0ea0e3ac3b688e98431338e5b31912b63de74c3d54a128a72e8f36223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-markdown/gen.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86083, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 86077, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86076, "scanner": "repobility-threat-engine", "fingerprint": "b7be6e5d5cf2a2a7973130e983387ef6f5498b6a6c46e7baa15cb5cd145b3bad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7be6e5d5cf2a2a7973130e983387ef6f5498b6a6c46e7baa15cb5cd145b3bad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-cli/src/index.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86075, "scanner": "repobility-threat-engine", "fingerprint": "1f13403eecd08dc9e617f64e512e79c5f490a27be9ab794b2e59d4760f130cd2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f13403eecd08dc9e617f64e512e79c5f490a27be9ab794b2e59d4760f130cd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-gatsby/src/plugin-options-form.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86074, "scanner": "repobility-threat-engine", "fingerprint": "8e9b8a225d42d736084fd4eb8c30cd31e9d783354deb61dd01c9da5e69338c09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e9b8a225d42d736084fd4eb8c30cd31e9d783354deb61dd01c9da5e69338c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/babel-preset-gatsby/src/optimize-hook-destructuring.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED078", "level": "none", "message": {"text": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file."}, "properties": {"repobilityId": 86073, "scanner": "repobility-threat-engine", "fingerprint": "2fb990b0369b382cca11beedc701e60dfbc5f93476b788250835ec0ac425f046", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "eslint-disable-file", "owasp": null, "cwe_ids": [], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348118+00:00", "triaged_in_corpus": 12, "observations_count": 7287, "ai_coder_pattern_id": 101}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fb990b0369b382cca11beedc701e60dfbc5f93476b788250835ec0ac425f046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/using-js-search/src/components/SearchContainer.js"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED078", "level": "none", "message": {"text": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file."}, "properties": {"repobilityId": 86072, "scanner": "repobility-threat-engine", "fingerprint": "bf887b34a56c7b426d86ad739d323d4f62f8c07805be9457205f8bcece8716d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "eslint-disable-file", "owasp": null, "cwe_ids": [], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348118+00:00", "triaged_in_corpus": 12, "observations_count": 7287, "ai_coder_pattern_id": 101}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf887b34a56c7b426d86ad739d323d4f62f8c07805be9457205f8bcece8716d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/using-js-search/src/components/ClientSearch.js"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 86071, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86070, "scanner": "repobility-threat-engine", "fingerprint": "376d50cf1eee090f41f67ba78343781e6e71c0ab025515b3cf96498b9ad10d27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|376d50cf1eee090f41f67ba78343781e6e71c0ab025515b3cf96498b9ad10d27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/styleguide/src/templates/ComponentPage/ComponentPage.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86069, "scanner": "repobility-threat-engine", "fingerprint": "351bd97ad9a321ff03006b8c19eef4fbfbcadb22236f671a31f11b3c4cb15b0b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|351bd97ad9a321ff03006b8c19eef4fbfbcadb22236f671a31f11b3c4cb15b0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/development-runtime/src/pages/static-query.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86068, "scanner": "repobility-threat-engine", "fingerprint": "62a0c9eed2e69404fa02a7a43fd8ca511897a0ddfc969e4d20d5993d90fca0cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62a0c9eed2e69404fa02a7a43fd8ca511897a0ddfc969e4d20d5993d90fca0cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e-tests/contentful/src/pages/text.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 86067, "scanner": "repobility-threat-engine", "fingerprint": "e5bc9bf5f42d9f2194ea7d1c2041149f1dd167602643d8715ae0a1e0f31c2c9d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e5bc9bf5f42d9f2194ea7d1c2041149f1dd167602643d8715ae0a1e0f31c2c9d"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86063, "scanner": "repobility-threat-engine", "fingerprint": "ee2ae9f292abd9a6ae7a62efdc7cc95904809573b35f587aadee6dab40f92c80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee2ae9f292abd9a6ae7a62efdc7cc95904809573b35f587aadee6dab40f92c80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-cli/src/reporter/reporter.ts"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86062, "scanner": "repobility-threat-engine", "fingerprint": "b7593ab943e781c7794dadc38c7733651dec589c6daacb5c121306143f57df29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7593ab943e781c7794dadc38c7733651dec589c6daacb5c121306143f57df29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-cli/src/reporter/redux/actions.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86061, "scanner": "repobility-threat-engine", "fingerprint": "dd0288b5fa2e584a9a600a5ecbbb06ba96ec7a06e0e20fe842e517a958f451e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd0288b5fa2e584a9a600a5ecbbb06ba96ec7a06e0e20fe842e517a958f451e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-telemetry/src/telemetry.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86060, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 86054, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 86050, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 86044, "scanner": "repobility-threat-engine", "fingerprint": "43b9f299b92df2b2231abd196b30cd1d5992eef3947b8887cc7812d95069bd4a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|43b9f299b92df2b2231abd196b30cd1d5992eef3947b8887cc7812d95069bd4a", "aggregated_count": 13}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86043, "scanner": "repobility-threat-engine", "fingerprint": "bd7591ae3008d60b4f2bac21b8b9625027a613f8d78b162ebff848f67ae1468a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd7591ae3008d60b4f2bac21b8b9625027a613f8d78b162ebff848f67ae1468a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-admin/src/urql-client.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86042, "scanner": "repobility-threat-engine", "fingerprint": "442a93ce8ce36c44859ffa9290a5ebb02af287eb891c9e92f35a4e35521b3580", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|442a93ce8ce36c44859ffa9290a5ebb02af287eb891c9e92f35a4e35521b3580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-admin/src/pages/index.tsx"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86041, "scanner": "repobility-threat-engine", "fingerprint": "fe61f7cc2061eaf14d12785381734fb2d6a5bdd806ea38ac8ff0b52204234263", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe61f7cc2061eaf14d12785381734fb2d6a5bdd806ea38ac8ff0b52204234263"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-datocms/scripts/updater.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86040, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86039, "scanner": "repobility-threat-engine", "fingerprint": "ba3111d76c1d4acee09aa5f0acc61c16c6c502264ba8777d7b236e263736ad58", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(`You must add the BENCHMARK_FLOTIQ_API_TOKEN env variable`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.error you must add the benchmark_flotiq_api_token env variable"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-flotiq/scripts/updater.js"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86038, "scanner": "repobility-threat-engine", "fingerprint": "bdca4233b9cd73d360718564b5887fe4b0734036b990b70fb078f80ac675afad", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(`You must pass in a DatoCMS API token`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.error you must pass in a datocms api token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-datocms/scripts/updater.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 86036, "scanner": "repobility-threat-engine", "fingerprint": "95d0cabfb7d60922b2e4f3b36f5dce07e4c48a0707c1e845b97918269bb1d1e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95d0cabfb7d60922b2e4f3b36f5dce07e4c48a0707c1e845b97918269bb1d1e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-agilitycms/src/agility/components/DynamicPreviewPage.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86034, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 86030, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 86026, "scanner": "repobility-threat-engine", "fingerprint": "cdd7683682478d1748823cf32e0790d89a8c444eeb4c65500570833e3ea4de01", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cdd7683682478d1748823cf32e0790d89a8c444eeb4c65500570833e3ea4de01", "aggregated_count": 13}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86025, "scanner": "repobility-threat-engine", "fingerprint": "bbbdd5ed65d610930a3ce73f54010f87832f08235ea1d79614b47a40a73ddc52", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbbdd5ed65d610930a3ce73f54010f87832f08235ea1d79614b47a40a73ddc52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-plugin-graphql-config/src/gatsby-node.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86024, "scanner": "repobility-threat-engine", "fingerprint": "5c97b3a0e3f56e7f1beb1f2c1b8e83a120acd7db743b10a7588290db02c5467f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c97b3a0e3f56e7f1beb1f2c1b8e83a120acd7db743b10a7588290db02c5467f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/image-processing/plugins/gatsby-source-remote-images/fetch-image-urls.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86023, "scanner": "repobility-threat-engine", "fingerprint": "ffe38c09d0232e7decb75ed08f01faa5ff8cb6355777f0a41bf6a1faf75b01ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffe38c09d0232e7decb75ed08f01faa5ff8cb6355777f0a41bf6a1faf75b01ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-yaml-text/gen.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "properties": {"repobilityId": 86022, "scanner": "repobility-threat-engine", "fingerprint": "52a6cc8c2f3694187c0d1b80dbdd78da421af1e7c1bdf41c742ef9a68ba4effc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|52a6cc8c2f3694187c0d1b80dbdd78da421af1e7c1bdf41c742ef9a68ba4effc", "aggregated_count": 72}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 86021, "scanner": "repobility-threat-engine", "fingerprint": "3fdb5192537c52b7a9cad901e40beeba29d6872182eacab5a7a60166f40631fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fdb5192537c52b7a9cad901e40beeba29d6872182eacab5a7a60166f40631fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-text/src/pages/index.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 86020, "scanner": "repobility-threat-engine", "fingerprint": "759679dedbb4788d4c59b7328b2d22cc5136b1e4f5357230e1f5f951c21572a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|759679dedbb4788d4c59b7328b2d22cc5136b1e4f5357230e1f5f951c21572a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-markdown/src/templates/blog-post.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 86019, "scanner": "repobility-threat-engine", "fingerprint": "5f0619d5426d6b8da4d005a74d1ec911ba92f04c3484798049dd717d33c676a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f0619d5426d6b8da4d005a74d1ec911ba92f04c3484798049dd717d33c676a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/gabe-csv-markdown/src/pages/index.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 86018, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 86014, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86010, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 129 more): Same pattern found in 129 additional files. Review if needed."}, "properties": {"repobilityId": 86006, "scanner": "repobility-threat-engine", "fingerprint": "75a8787b979878e29a68531cfcce6cab1bdabfc057950e346d5db8cf4c8d767a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 129 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|75a8787b979878e29a68531cfcce6cab1bdabfc057950e346d5db8cf4c8d767a", "aggregated_count": 129}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86005, "scanner": "repobility-threat-engine", "fingerprint": "0b613410f45ecedc426207104a67616e027ca902403651af0c6dcbecf680bae9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b613410f45ecedc426207104a67616e027ca902403651af0c6dcbecf680bae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/scripts/test-suite.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86004, "scanner": "repobility-threat-engine", "fingerprint": "03654c897d20f903a78e0129c3987ff7b12891518ce13b862d1cfeb311113ec6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03654c897d20f903a78e0129c3987ff7b12891518ce13b862d1cfeb311113ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/gatsby-node.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86003, "scanner": "repobility-threat-engine", "fingerprint": "0882f7bcfaddd39bfcce2c1614e7031e5c6007e1075718d0dd2718e1f8b31953", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0882f7bcfaddd39bfcce2c1614e7031e5c6007e1075718d0dd2718e1f8b31953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/gatsby-site-showcase-validator/index.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:10-slim` not pinned by digest: `FROM node:10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86156, "scanner": "repobility-supply-chain", "fingerprint": "15507f5145623162306eb4300a8225dcc7de22748933b9d6b89caece30519e85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15507f5145623162306eb4300a8225dcc7de22748933b9d6b89caece30519e85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/gatsby-site-showcase-validator/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:10-slim` not pinned by digest: `FROM node:10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86155, "scanner": "repobility-supply-chain", "fingerprint": "76f3b556d716261c7aa53c8bdd45e6f4b81fc3f60d3929ddbe8407b3dd2e2cb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76f3b556d716261c7aa53c8bdd45e6f4b81fc3f60d3929ddbe8407b3dd2e2cb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/high-priority-prs/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pullreminders/slack-action` pinned to mutable ref `@master`: `uses: pullreminders/slack-action@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86154, "scanner": "repobility-supply-chain", "fingerprint": "4e5021654db4199684fb0f010c228da6aa3dd80d0dfe0151c81727e4e12905d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e5021654db4199684fb0f010c228da6aa3dd80d0dfe0151c81727e4e12905d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/schedule-stale.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86153, "scanner": "repobility-supply-chain", "fingerprint": "75a12be8dfa6aebd597ce0ef5bf0bb96d62d5e219726f9ea7559c1540f928480", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75a12be8dfa6aebd597ce0ef5bf0bb96d62d5e219726f9ea7559c1540f928480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/schedule-stale.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86152, "scanner": "repobility-supply-chain", "fingerprint": "1cfa16ac4d795a8ff74ce83b2e256628d2b71374f9505471b1df6e757f9ed143", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cfa16ac4d795a8ff74ce83b2e256628d2b71374f9505471b1df6e757f9ed143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/schedule-stale.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:14-buster` not pinned by digest: `FROM node:14-buster` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86151, "scanner": "repobility-supply-chain", "fingerprint": "3f3f326bdf9201b53e2cad78da9ec7cbca0fceadc25f0583061db4188ab7bfdc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f3f326bdf9201b53e2cad78da9ec7cbca0fceadc25f0583061db4188ab7bfdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `wordpress:cli-php7.4` not pinned by digest: `FROM wordpress:cli-php7.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86150, "scanner": "repobility-supply-chain", "fingerprint": "6674b4991dfd8e4333e5788a4bdf7f54e67a5d79b838b12b014faf08e8fb4427", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6674b4991dfd8e4333e5788a4bdf7f54e67a5d79b838b12b014faf08e8fb4427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker/wp-cli/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `wordpress:6.1` not pinned by digest: `FROM wordpress:6.1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86149, "scanner": "repobility-supply-chain", "fingerprint": "8a0270b7280d52f3d66d4d939d49c5d8fc09af47ae1ebd4cd86adaf1fb34c928", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a0270b7280d52f3d66d4d939d49c5d8fc09af47ae1ebd4cd86adaf1fb34c928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker/wordpress/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gitpod/workspace-full (no tag)` not pinned by digest: `FROM gitpod/workspace-full (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86148, "scanner": "repobility-supply-chain", "fingerprint": "be0292132c916b2ea4ace99f8b95f4d927c4f68501dec9bfdf6daa5db0c1f1fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be0292132c916b2ea4ace99f8b95f4d927c4f68501dec9bfdf6daa5db0c1f1fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitpod.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 86131, "scanner": "repobility-docker", "fingerprint": "a494aa3847987423fe8f32704c62f582c077ea01e78bdc331a43a968eac7cbfc", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|a494aa3847987423fe8f32704c62f582c077ea01e78bdc331a43a968eac7cbfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86082, "scanner": "repobility-threat-engine", "fingerprint": "54a8f0917c753c38f48ff81e1ee23e86aedb807760a242cbbaac370f183bbc2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54a8f0917c753c38f48ff81e1ee23e86aedb807760a242cbbaac370f183bbc2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-core-utils/src/filename-utils.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86081, "scanner": "repobility-threat-engine", "fingerprint": "946162a30f283ead9bb212c33479d6aef348a228565e8ac9981b8af48f8c7b71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|946162a30f283ead9bb212c33479d6aef348a228565e8ac9981b8af48f8c7b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-core-utils/src/create-content-digest.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86080, "scanner": "repobility-threat-engine", "fingerprint": "1e65ae6554d63e209750980fd51f101d63a9fe88dc688bfe84f018a876278756", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e65ae6554d63e209750980fd51f101d63a9fe88dc688bfe84f018a876278756"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-adapter-netlify/src/file-cdn-url-generator.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 86079, "scanner": "repobility-threat-engine", "fingerprint": "bfba8ffd5b1adfb0d5a01a61d80472815e81a7a95481196c485750d23ff4d1c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bfba8ffd5b1adfb0d5a01a61d80472815e81a7a95481196c485750d23ff4d1c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-gatsby/src/components/text.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 86078, "scanner": "repobility-threat-engine", "fingerprint": "adf732b4b60e749b877c61617842c20aab81773a05bced8cf8f5cc2cbea2477b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|adf732b4b60e749b877c61617842c20aab81773a05bced8cf8f5cc2cbea2477b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-gatsby/src/components/select.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86059, "scanner": "repobility-threat-engine", "fingerprint": "17a253e45c4f4cc736ba503ce769491878c82f24f1f5acc97c2d455db5ebb74d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17a253e45c4f4cc736ba503ce769491878c82f24f1f5acc97c2d455db5ebb74d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gatsby-adapter-netlify/src/file-cdn-handler.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86058, "scanner": "repobility-threat-engine", "fingerprint": "a2ba9dba7540efa74a18825adf5c863ba1ff4421d09cfc6afaa10bd09edb4f2f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a2ba9dba7540efa74a18825adf5c863ba1ff4421d09cfc6afaa10bd09edb4f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/resolve-recipe.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86057, "scanner": "repobility-threat-engine", "fingerprint": "24857da59f39bc65ff236bdc230959d2311eaaf496d67e163954f7a958d30090", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24857da59f39bc65ff236bdc230959d2311eaaf496d67e163954f7a958d30090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/providers/fs/file.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86049, "scanner": "repobility-threat-engine", "fingerprint": "29030d45e37f6e6c9a0cbca9b4ce5061e3066706bf8dc56ade6cacb2f71b09e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n            match", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29030d45e37f6e6c9a0cbca9b4ce5061e3066706bf8dc56ade6cacb2f71b09e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-cli/test-helpers/matcher.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86048, "scanner": "repobility-threat-engine", "fingerprint": "ec5e4b5e128266fa62e8b8c0af27b29d8c23fb9f01abe345b765a4a4318f78bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(regexpEscape", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec5e4b5e128266fa62e8b8c0af27b29d8c23fb9f01abe345b765a4a4318f78bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-telemetry/src/error-helpers.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86047, "scanner": "repobility-threat-engine", "fingerprint": "d5d7351e9d2a7110bd8d2b47aa6a465f60c73ba13b63bb914cbdb1114e1bbb6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5d7351e9d2a7110bd8d2b47aa6a465f60c73ba13b63bb914cbdb1114e1bbb6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-admin/src/utils/use-telemetry.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86037, "scanner": "repobility-threat-engine", "fingerprint": "d6af6be336335cd55d08683f9891049885f545682fe6ed3cd8a5a61fffdeb32c", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.error(`You must pass username, password and server`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|5|console.error you must pass username password and server"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-drupal/scripts/updater.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86033, "scanner": "repobility-threat-engine", "fingerprint": "ec12a5fa09df65cec1fbbdc939bc28bccfd09211e1101467191f93282b0adb2b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(() =>\n    `\n|${faker.lorem.word()}|${faker.lorem.sentence()}|${faker.random.boolean()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec12a5fa09df65cec1fbbdc939bc28bccfd09211e1101467191f93282b0adb2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/markdown_table/page-template.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86032, "scanner": "repobility-threat-engine", "fingerprint": "98d25fe8cb2a5ee97660c7dae6cee15c12a960b956ee46f83b720a4db429a67a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(() =>\n    `\n|${faker.lorem.word()}|${faker.lorem.sentence()}|${faker.random.boolean()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98d25fe8cb2a5ee97660c7dae6cee15c12a960b956ee46f83b720a4db429a67a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/markdown_slug/md.tpl.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86031, "scanner": "repobility-threat-engine", "fingerprint": "b851e90ce4920434dc799dc5209f1280f20b4f85916b098f47f7313e46b4d5d1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(() =>\n    `\n|${faker.lorem.word()}|${faker.lorem.sentence()}|${faker.random.boolean()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b851e90ce4920434dc799dc5209f1280f20b4f85916b098f47f7313e46b4d5d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/markdown_id/md.tpl.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86029, "scanner": "repobility-threat-engine", "fingerprint": "13d63025e26ede3582704bf1b573f930459f0122450526407a53c7ac3a4cf29c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "blockedResources.delete(cacheKey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13d63025e26ede3582704bf1b573f930459f0122450526407a53c7ac3a4cf29c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/renderer/render.js"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86028, "scanner": "repobility-threat-engine", "fingerprint": "146f02c12ea4e5aad05e5220062a616515e53f37d7786dc4b7cf56c7deab3c8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|146f02c12ea4e5aad05e5220062a616515e53f37d7786dc4b7cf56c7deab3c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-plugin-gatsby-cloud/src/build-headers-program.js"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86027, "scanner": "repobility-threat-engine", "fingerprint": "8690176153c8d2cdf71e14cd2e9e91daffc7caf11f85e88f7255ce110d78617a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8690176153c8d2cdf71e14cd2e9e91daffc7caf11f85e88f7255ce110d78617a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/image-processing/plugins/gatsby-source-remote-images/gatsby-node.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86013, "scanner": "repobility-threat-engine", "fingerprint": "8b9e276dee8047dd3bf2d55b0d0ebdffd345f7ceb0b41f593a4a9e85abf11e3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b9e276dee8047dd3bf2d55b0d0ebdffd345f7ceb0b41f593a4a9e85abf11e3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/source-agilitycms/src/agility/components/DynamicPreviewPage.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86012, "scanner": "repobility-threat-engine", "fingerprint": "653f76eae9e95483e10dbd8269dcdb23dd19757994d5e07b03fdd2bdc410cd1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|653f76eae9e95483e10dbd8269dcdb23dd19757994d5e07b03fdd2bdc410cd1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/scripts/test.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86011, "scanner": "repobility-threat-engine", "fingerprint": "d82d511f5c8d3ad36697e31070f24308ba1fe8c9f2ebd5d5ca465014b3fcacfe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d82d511f5c8d3ad36697e31070f24308ba1fe8c9f2ebd5d5ca465014b3fcacfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/docker-runner/scripts/test-suite.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 86138, "scanner": "repobility-docker", "fingerprint": "7d7755d06657d0049477ec2c68d67c497e98dcb03adb91185046ef4585ea0e62", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "wordpress-cli", "variable": "WORDPRESS_DB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|7d7755d06657d0049477ec2c68d67c497e98dcb03adb91185046ef4585ea0e62", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 86134, "scanner": "repobility-docker", "fingerprint": "65261375cc012ccb7cc8f66826c71127c3e026af3a0f615558195646d507bf20", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "wordpress", "variable": "WORDPRESS_DB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|65261375cc012ccb7cc8f66826c71127c3e026af3a0f615558195646d507bf20", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 86130, "scanner": "repobility-docker", "fingerprint": "ad17486e5de84adb20e09d0c0c14cc7257863f0c10bb5d4d37130b0b65056f0f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ad17486e5de84adb20e09d0c0c14cc7257863f0c10bb5d4d37130b0b65056f0f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gatsby-source-wordpress/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86066, "scanner": "repobility-threat-engine", "fingerprint": "cf1ee25a771842e2f35521eccf7d5e4c2d221893a7e382b7599a4b75c0d60bd5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(pageDataPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf1ee25a771842e2f35521eccf7d5e4c2d221893a7e382b7599a4b75c0d60bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/cache-resilience/gatsby-node.js"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86065, "scanner": "repobility-threat-engine", "fingerprint": "cc58352ba0c71070486de5d1462ff95365a22a21f600832a47451b8bf9237b66", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc58352ba0c71070486de5d1462ff95365a22a21f600832a47451b8bf9237b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-theme/gatsby-theme-eject.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86064, "scanner": "repobility-threat-engine", "fingerprint": "bf3c98310d9e74c77c5035a07492b90c615a5fc106bdbc3a5ca4cb9f6f6abe62", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf3c98310d9e74c77c5035a07492b90c615a5fc106bdbc3a5ca4cb9f6f6abe62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-theme/gatsby-theme-debug.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 86056, "scanner": "repobility-threat-engine", "fingerprint": "ff772a1fe1eb52397bb5b131212f74e93b244535c8e7ce41a131574d25d4addd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff772a1fe1eb52397bb5b131212f74e93b244535c8e7ce41a131574d25d4addd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/renderer/index.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 86055, "scanner": "repobility-threat-engine", "fingerprint": "ea732cabdb3a6f0769cab63ef591d2d285d61c02868c6eda603939c1b09638dc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea732cabdb3a6f0769cab63ef591d2d285d61c02868c6eda603939c1b09638dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated-packages/gatsby-recipes/src/components/step-renderer.js"}, "region": {"startLine": 31}}}]}]}]}