{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "LOG001", "name": "PII printed to stdout/stderr", "shortDescription": {"text": "PII printed to stdout/stderr"}, "fullDescription": {"text": "Logging password/token/email/ssn directly to stdout."}, "properties": {"scanner": "repobility", "category": "logging", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SUPC002", "name": "Supply chain \u2014 npm install without lockfile", "shortDescription": {"text": "Supply chain \u2014 npm install without lockfile"}, "fullDescription": {"text": "Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "QUAL005", "name": "Cluster of TODOs in one file", "shortDescription": {"text": "Cluster of TODOs in one file"}, "fullDescription": {"text": "Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 1 more): Same pattern found in 1 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question has no auth: Express route POST", "shortDescription": {"text": "[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question has no auth: Express route POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question declared without an auth middleware in its handler cha"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/v1/capabilities/runtime-tools/onboarding/alignment-question', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Validate extracted facts with a schema, enforce length and count limits, reject code-fence/prompt-looking content, and discard facts that contain instruction-like phrases or raw JSON prompt fragments."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.R2_ENDPOINT_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.R2_ENDPOINT_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ENDPOINT_URL }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SSTI001", "name": "SSTI \u2014 Jinja2 Template from user string", "shortDescription": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "fullDescription": {"text": "jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "DSER001", "name": "Insecure deserialization \u2014 pickle/yaml/marshal", "shortDescription": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "fullDescription": {"text": "pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"scanner": "repobility", "category": "deserialization", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/195"}, "properties": {"repository": "holaboss-ai/holaOS", "repoUrl": "https://github.com/holaboss-ai/holaOS", "branch": "main"}, "results": [{"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 50788, "scanner": "repobility-agent-runtime", "fingerprint": "288143c3b8e70a4f38efdcff1ad1eb832dc7ca15678686c19eb481f4c30bc23b", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|288143c3b8e70a4f38efdcff1ad1eb832dc7ca15678686c19eb481f4c30bc23b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50786, "scanner": "repobility-agent-runtime", "fingerprint": "22b6d6d43fda061a20c5e34b2e7e30886cda5eeffb18a27e5605508704a5e90d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|22b6d6d43fda061a20c5e34b2e7e30886cda5eeffb18a27e5605508704a5e90d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/lib/workspaceSelection.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50785, "scanner": "repobility-agent-runtime", "fingerprint": "cbb875346f7c6e258d8d973a8e2d3e6a27f9611f0bae11eac978a223ae5bf71e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|cbb875346f7c6e258d8d973a8e2d3e6a27f9611f0bae11eac978a223ae5bf71e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/lib/chat/useChatComposerModelSelection.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50784, "scanner": "repobility-agent-runtime", "fingerprint": "59719e6012d42c988d8e528656c963f1f52840a0e984475b927906ba6b095b28", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|59719e6012d42c988d8e528656c963f1f52840a0e984475b927906ba6b095b28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/features/workspace-onboarding/preferences.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50783, "scanner": "repobility-agent-runtime", "fingerprint": "15431cc8821a3622b73ffc61b5bd5a470aa1214ee5fb5409b88579dffa6b89a5", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|15431cc8821a3622b73ffc61b5bd5a470aa1214ee5fb5409b88579dffa6b89a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/publish/usePublishDraft.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50782, "scanner": "repobility-agent-runtime", "fingerprint": "b8ddc5b3bb9355c952f09811d1e14d7735e4576ead7cbf429790fcc8a9668961", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b8ddc5b3bb9355c952f09811d1e14d7735e4576ead7cbf429790fcc8a9668961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/index.tsx"}, "region": {"startLine": 5320}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50781, "scanner": "repobility-agent-runtime", "fingerprint": "1be215ac78e13361c024494aec555cdf9892d8f20ad3375d6a28b2acdb453817", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|1be215ac78e13361c024494aec555cdf9892d8f20ad3375d6a28b2acdb453817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/useSettingsState.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50780, "scanner": "repobility-agent-runtime", "fingerprint": "848c46ded00d7e18678658f5bfe445a73bd224421216b26379099bbf40b76e7a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|848c46ded00d7e18678658f5bfe445a73bd224421216b26379099bbf40b76e7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/SettingsScreenRoot.tsx"}, "region": {"startLine": 915}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50779, "scanner": "repobility-agent-runtime", "fingerprint": "6ce2978daa5384346aedd490c958d94c0979e8770120ce011e0b1d2fe69409ec", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6ce2978daa5384346aedd490c958d94c0979e8770120ce011e0b1d2fe69409ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/AppShell.tsx"}, "region": {"startLine": 1441}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 50749, "scanner": "repobility-threat-engine", "fingerprint": "81fb5fe9e66b5d14b918ee9bfefdf84a3792987998d58dcd9bf6ec971c622ff3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivedTools: [],\n    }\n  }\n}\n\nfunction randId() {\n  return `r_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|81fb5fe9e66b5d14b918ee9bfefdf84a3792987998d58dcd9bf6ec971c622ff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/app-builder-sdk/src/runtime/state.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 50748, "scanner": "repobility-threat-engine", "fingerprint": "94f4484e1130d585e4f3c697e47e6043c65166d076abbc8c480c09c377b877ea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivedTools: [],\n    }\n  }\n}\n\nfunction randId() {\n  return `r_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94f4484e1130d585e4f3c697e47e6043c65166d076abbc8c480c09c377b877ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/embedded-skills/app-builder-sdk/sdk-package/src/runtime/state.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 50745, "scanner": "repobility-threat-engine", "fingerprint": "e75c1694a1a48fc5824b1416337785ec9d500e1c21e5900375d49ffa6ee646ef", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e75c1694a1a48fc5824b1416337785ec9d500e1c21e5900375d49ffa6ee646ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/session-scratchpad.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 50741, "scanner": "repobility-threat-engine", "fingerprint": "e5f798d7449ac60b6f2044ab3bbe584057482041fa11a069e8a71713928c7eb5", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|48|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50731, "scanner": "repobility-threat-engine", "fingerprint": "8b74531f7975c031a7dfa4463c3b968fd7a7a3c4ff124577d3edd6273977fb86", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|303|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/skeletons.tsx"}, "region": {"startLine": 303}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50730, "scanner": "repobility-threat-engine", "fingerprint": "ad4898fc6e8f3179ff02e66a9e582d806d049a6275fb0057ec19c15b113ce3c5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|82|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/helpers.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50729, "scanner": "repobility-threat-engine", "fingerprint": "6a209eb46e29f009d59584d863eb210fa65c266fcfd0f481938657c423de5925", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|5|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/marketplace/markdownFenceNormalization.mjs"}, "region": {"startLine": 5}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16878, "scanner": "repobility", "fingerprint": "3d4302de3549cceab179b928e44e6571", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "print('  \u2717 Missing model_proxy_base_url or auth_token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/scripts/check-runtime-status.sh"}, "region": {"startLine": 68}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16877, "scanner": "repobility", "fingerprint": "5942cae63117971b0e301d3a5bea1a3b", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "print(f'  auth_token:           {\\\"SET\\\" if h.get(\\\"auth_token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/scripts/check-runtime-status.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15618, "scanner": "repobility", "fingerprint": "dfdf84af9db8dd5cc033304cc99b7799", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "  npm install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/package_linux_runtime.sh"}, "region": {"startLine": 105}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15617, "scanner": "repobility", "fingerprint": "bc81f4954fa09719701a79de58ea3827", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "  npm install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/package_macos_runtime.sh"}, "region": {"startLine": 81}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13486, "scanner": "repobility", "fingerprint": "b225d37894cf96034451cdaee09da9b1", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/bootstrap/container.sh"}, "region": {"startLine": 35}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13485, "scanner": "repobility", "fingerprint": "0d5d902f6f3d3e7f81d11b9667e72c00", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-prep.test.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13484, "scanner": "repobility", "fingerprint": "e3ae4b7cca86e6dabae6c8b47b281b4b", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.test.ts"}, "region": {"startLine": 6681}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13483, "scanner": "repobility", "fingerprint": "0b462f5b8f2dfac9bd02fc56640eae74", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/ts-runner.ts"}, "region": {"startLine": 721}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13482, "scanner": "repobility", "fingerprint": "7d3ed7fd7f8c8506821870af5bd546e6", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.ts"}, "region": {"startLine": 235}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13481, "scanner": "repobility", "fingerprint": "14946b80e971ec106850ac22b2b740f3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/marketplace/KitEmoji.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13480, "scanner": "repobility", "fingerprint": "5f23818f66565aabe8dbfdf5ec4e23af", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/BrowserPane.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13479, "scanner": "repobility", "fingerprint": "85e82cfe168b70776688a9688c43e7bd", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/SpaceBrowserDisplayPane.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13478, "scanner": "repobility", "fingerprint": "bd0af7bb3cbd02506c226bf4193d9ae9", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/SpreadsheetEditor.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13477, "scanner": "repobility", "fingerprint": "39fe48a510793ce19f8acb1ec5cfdaa5", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/BrowserPane.test.mjs"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5932, "scanner": "repobility-docker", "fingerprint": "666d39de10a59fff638cacf3292306fef994aee03a8c9bbcef8ee877d04fc91a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm@sha256:883fb7fcf461dc7ab7601180568ad4afbd9d018371afa41b18c8a1124a81a66e", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|666d39de10a59fff638cacf3292306fef994aee03a8c9bbcef8ee877d04fc91a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/Dockerfile.toolchain"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 5931, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5930, "scanner": "repobility-docker", "fingerprint": "e015a4d8526564c7e61bfb3b0265ebdaff99fca430548776ea857a2c04d089b9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${TOOLCHAIN_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e015a4d8526564c7e61bfb3b0265ebdaff99fca430548776ea857a2c04d089b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 5927, "scanner": "repobility-threat-engine", "fingerprint": "b66ec3c169756a9f122e8d30cfc646a7a3f5115724038ae74d4741259b9309c3", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|181|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-recall-manifest.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 5926, "scanner": "repobility-threat-engine", "fingerprint": "7ef3866b209038b7c5544b9df63b4b9c7bca1ef085fdf55df108557f69b65c6c", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|96|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-skills.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 5925, "scanner": "repobility-threat-engine", "fingerprint": "c6867c77186098e2900bb2975545b5b58903af2290f28c44014c48b4f32c92e3", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|111|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/proactive-context.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5923, "scanner": "repobility-threat-engine", "fingerprint": "e525b7bd2553892382cbdb27ef84021d8a044692346f0029623befe25e97565b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e525b7bd2553892382cbdb27ef84021d8a044692346f0029623befe25e97565b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/session-todo.ts"}, "region": {"startLine": 382}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5922, "scanner": "repobility-threat-engine", "fingerprint": "987450b722dc9ffdf7a01d8a6d48eac543e4f4b500fed6659a730eb6712b1017", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|987450b722dc9ffdf7a01d8a6d48eac543e4f4b500fed6659a730eb6712b1017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/session-checkpoint.ts"}, "region": {"startLine": 1035}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5921, "scanner": "repobility-threat-engine", "fingerprint": "1a6cfbfd5e1bcc7d7dc575dd4489337118a80322c560fc4ebcd6b73e4b6fe267", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a6cfbfd5e1bcc7d7dc575dd4489337118a80322c560fc4ebcd6b73e4b6fe267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/pi.ts"}, "region": {"startLine": 2482}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 5918, "scanner": "repobility-threat-engine", "fingerprint": "090770ab9135882284d4aab3f734f293e7b2a49be66a38fe0ad78efad55eb4a1", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "zipEntry.name", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|353|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/browser-pane/import-browsers.ts"}, "region": {"startLine": 353}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5913, "scanner": "repobility-agent-runtime", "fingerprint": "1af85250dc2bfc146dd18ff4ba92ee659e2c782e4d53b68aed6374868138f4b1", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1af85250dc2bfc146dd18ff4ba92ee659e2c782e4d53b68aed6374868138f4b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/bootstrap/shared.sh"}, "region": {"startLine": 57}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 5912, "scanner": "repobility-agent-runtime", "fingerprint": "811257597a66cc5b2125d7bd3fa7fa021af8e34fb23e4d2847cc067e4749be10", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|811257597a66cc5b2125d7bd3fa7fa021af8e34fb23e4d2847cc067e4749be10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/session-checkpoint.ts"}, "region": {"startLine": 731}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5911, "scanner": "repobility-agent-runtime", "fingerprint": "b925231db60947efee13ecd0c0cca52e19e8208efa608d543d6e57cb340595eb", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b925231db60947efee13ecd0c0cca52e19e8208efa608d543d6e57cb340595eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.ts"}, "region": {"startLine": 211}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5908, "scanner": "repobility-agent-runtime", "fingerprint": "144afef2a5a7ccf7ef627ad3f48098bfa9ea501377e5ff9617c1533d01bc084a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|144afef2a5a7ccf7ef627ad3f48098bfa9ea501377e5ff9617c1533d01bc084a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/lib/workspaceSelection.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5907, "scanner": "repobility-agent-runtime", "fingerprint": "87d99a9679b0336f5acac0b94a50e66466652013dda4dab4de1ac24601a9f98c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|87d99a9679b0336f5acac0b94a50e66466652013dda4dab4de1ac24601a9f98c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/lib/chat/useChatComposerModelSelection.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5906, "scanner": "repobility-agent-runtime", "fingerprint": "3fa4c26ba99e234adc0ad319abc9b0f29c9011123d3d959f260e430dd55aeaba", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3fa4c26ba99e234adc0ad319abc9b0f29c9011123d3d959f260e430dd55aeaba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/publish/usePublishDraft.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5905, "scanner": "repobility-agent-runtime", "fingerprint": "a3748edbee042a486b425824b99ea7abf62e70fb08ce0841d08794eaf9b1b071", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|a3748edbee042a486b425824b99ea7abf62e70fb08ce0841d08794eaf9b1b071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/ChatPane/index.tsx"}, "region": {"startLine": 4511}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5904, "scanner": "repobility-agent-runtime", "fingerprint": "b40b5b4971e7e4cae47cb296a60437e86a9e481ff97be92bd4cad7a1aa1ca189", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b40b5b4971e7e4cae47cb296a60437e86a9e481ff97be92bd4cad7a1aa1ca189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/layout/AppShell.tsx"}, "region": {"startLine": 1506}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5903, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e5c5a23535a21e4dcc7ab38e34589c525ee5b950123835fda91dee859023ee2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/evolve-worker.ts", "duplicate_line": 70, "correlation_key": "fp|8e5c5a23535a21e4dcc7ab38e34589c525ee5b950123835fda91dee859023ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/main-session-event-worker.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5902, "scanner": "repobility-ai-code-hygiene", "fingerprint": "871d5077a703006d3fbb32c3876388e03f2dde49cfc0d4522da138cd3ac1ad3d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/image-generation.ts", "duplicate_line": 34, "correlation_key": "fp|871d5077a703006d3fbb32c3876388e03f2dde49cfc0d4522da138cd3ac1ad3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/integration-types.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5900, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c344303fde7c28bb592c60c7e7bd2f7dc185823387193c24fc39d6775381960", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/bridge-worker.ts", "duplicate_line": 434, "correlation_key": "fp|1c344303fde7c28bb592c60c7e7bd2f7dc185823387193c24fc39d6775381960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/cron-worker.ts"}, "region": {"startLine": 512}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5899, "scanner": "repobility-ai-code-hygiene", "fingerprint": "504879e58cada3f5f21d3648b9d7670c89c16e95ef4c2510fcdfb109ac486fe9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/layout/SettingsScreenRoot.tsx", "duplicate_line": 37, "correlation_key": "fp|504879e58cada3f5f21d3648b9d7670c89c16e95ef4c2510fcdfb109ac486fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/ui/combobox.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5898, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f43d43731095518d10a60ac81174951db5f90d9fdb457b5462801f3349f2f0cf", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/panes/ChatPane/helpers.ts", "duplicate_line": 13, "correlation_key": "fp|f43d43731095518d10a60ac81174951db5f90d9fdb457b5462801f3349f2f0cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/useWorkspaceBrowser.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5897, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e495212f788ebe3b8ec1515721661f9330ab72d62e79e45e0331b6f8eeb64ac9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/panes/BackgroundTasksPane.tsx", "duplicate_line": 179, "correlation_key": "fp|e495212f788ebe3b8ec1515721661f9330ab72d62e79e45e0331b6f8eeb64ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/SubagentSessionsPane.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a86f806f810d8fe21df70e0189a6d08fbb7fa77e1dce1d215ed4b1057f370e92", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/panes/SpaceBrowserDisplayPane.tsx", "duplicate_line": 93, "correlation_key": "fp|a86f806f810d8fe21df70e0189a6d08fbb7fa77e1dce1d215ed4b1057f370e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/SpaceBrowserExplorerPane.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "954c0ebfb048ed7188b5b119560c3cac9b9f03e4ee4ded6222224c1a7d6500e8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/onboarding/constants.ts", "duplicate_line": 5, "correlation_key": "fp|954c0ebfb048ed7188b5b119560c3cac9b9f03e4ee4ded6222224c1a7d6500e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/MarketplacePane.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "479aef1cfaa741bbe2667e5af8daaccc50fba3db3f59dfd5f20fdff0530d2944", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/onboarding/BrowserProfileStep.tsx", "duplicate_line": 112, "correlation_key": "fp|479aef1cfaa741bbe2667e5af8daaccc50fba3db3f59dfd5f20fdff0530d2944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/BrowserProfileImportButton.tsx"}, "region": {"startLine": 430}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7878c5d3d8ee0c08a396dd173df93b3684ac45413d21bb11bffe7a51d5e411e2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/marketplace/AppCatalogCard.tsx", "duplicate_line": 176, "correlation_key": "fp|7878c5d3d8ee0c08a396dd173df93b3684ac45413d21bb11bffe7a51d5e411e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/panes/AppSurfacePane.tsx"}, "region": {"startLine": 507}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36a8fd81e455c36567ff8d16505b51c04c6db347d43aa11f799684a9258b607c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "desktop/src/components/onboarding/ConnectIntegrationsStep.tsx", "duplicate_line": 71, "correlation_key": "fp|36a8fd81e455c36567ff8d16505b51c04c6db347d43aa11f799684a9258b607c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/onboarding/IntegrationsList.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50778, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf73be309174db6838753416aa5eff6b890649f9eb29cb70798b4c1ec05a0e43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/harnesses/src/browser-capability-tools.ts", "duplicate_line": 106, "correlation_key": "fp|cf73be309174db6838753416aa5eff6b890649f9eb29cb70798b4c1ec05a0e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/desktop-browser-tools.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50777, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8a71b39d36af6e6b33a9fb01e7925b6e5a4e5d06c553ddbb8d7cfc3c678b52d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/runtime-ai-monitoring.ts", "duplicate_line": 55, "correlation_key": "fp|b8a71b39d36af6e6b33a9fb01e7925b6e5a4e5d06c553ddbb8d7cfc3c678b52d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/harness-ai-monitoring.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50776, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34dcd3a5e6f503f4ba8ac1f175454ff28d99a8bb7688dc9105be56ae9ba7caa9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/workspace-mcp-sidecar.ts", "duplicate_line": 29, "correlation_key": "fp|34dcd3a5e6f503f4ba8ac1f175454ff28d99a8bb7688dc9105be56ae9ba7caa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/contracts.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50775, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ab018b87b79beaf288511c5f3b9f107f133cd90c34da2b4810b2227ac14562c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/ts-runner-contracts.ts", "duplicate_line": 13, "correlation_key": "fp|1ab018b87b79beaf288511c5f3b9f107f133cd90c34da2b4810b2227ac14562c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/contracts.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50774, "scanner": "repobility-ai-code-hygiene", "fingerprint": "316fc61feac848b0d14cf43a295ca91d7fa982f1bffbe6db92eb4bcdaa07d9ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/composio-mcp-host.ts", "duplicate_line": 43, "correlation_key": "fp|316fc61feac848b0d14cf43a295ca91d7fa982f1bffbe6db92eb4bcdaa07d9ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-mcp-host.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50773, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11cda59f18c198ddbce87ca4806cfe046de594aaff3bd4df6e6d0e94af0c2628", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/workspace-app-host-lint.ts", "duplicate_line": 55, "correlation_key": "fp|11cda59f18c198ddbce87ca4806cfe046de594aaff3bd4df6e6d0e94af0c2628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-app-ui-lint.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50772, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1f262dff4decd61f69af1c7a5e19fb61833080fa5f3a16c63904a77c1f44fa9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/teammate-routing.ts", "duplicate_line": 45, "correlation_key": "fp|c1f262dff4decd61f69af1c7a5e19fb61833080fa5f3a16c63904a77c1f44fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/teammate-skill-files.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50771, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cdf39be6b89e4c9eb7358970bbe9e53bd463c7cf6400f9de3b83f171da8543d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/electron/diagnostics-bundle.ts", "duplicate_line": 23, "correlation_key": "fp|cdf39be6b89e4c9eb7358970bbe9e53bd463c7cf6400f9de3b83f171da8543d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runtime-sentry.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50770, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9267b641a6b615065a0d189d20cffc1c1daf72efc696b2651b46678acf9251e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/memory.ts", "duplicate_line": 40, "correlation_key": "fp|9267b641a6b615065a0d189d20cffc1c1daf72efc696b2651b46678acf9251e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/resolved-app-bootstrap-shared.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50769, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14617f29328691d70d9c8a21e6f362fce57dd8ecaa682546e01f3058b78464f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/background-task-model.ts", "duplicate_line": 60, "correlation_key": "fp|14617f29328691d70d9c8a21e6f362fce57dd8ecaa682546e01f3058b78464f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/recall-embedding-model.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50768, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed7a3e9950458d882b625a7983c60d0db6c18347df2acc59d912eea3b6a8af04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/evolve-worker.ts", "duplicate_line": 70, "correlation_key": "fp|ed7a3e9950458d882b625a7983c60d0db6c18347df2acc59d912eea3b6a8af04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/recall-embedding-backfill-worker.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50767, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e06eb30052a5abe3034d61a721eccdef8c3769d8cae4d67e3c6343caffd3933", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/evolve-worker.ts", "duplicate_line": 70, "correlation_key": "fp|7e06eb30052a5abe3034d61a721eccdef8c3769d8cae4d67e3c6343caffd3933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/queue-worker.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5667490b8eb6a0f466124924bc7b7a06f7535af121b1de83552965afa4b44e49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/integrations.ts", "duplicate_line": 67, "correlation_key": "fp|5667490b8eb6a0f466124924bc7b7a06f7535af121b1de83552965afa4b44e49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b008008b7ad88d5088a2040c3c2cd814956604001efbefa9b7ff84833b366a46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/evolve-skill-review.ts", "duplicate_line": 72, "correlation_key": "fp|b008008b7ad88d5088a2040c3c2cd814956604001efbefa9b7ff84833b366a46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-writeback-extractor.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81f1dee944145df50ebbb1f366964501fade6239e81aff4971b522392d4c36e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/evolve-worker.ts", "duplicate_line": 70, "correlation_key": "fp|81f1dee944145df50ebbb1f366964501fade6239e81aff4971b522392d4c36e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/main-session-event-worker.ts"}, "region": {"startLine": 466}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c41bbc2ea5d2770fe6da8671f02edf085b3568298b20d0d77bfa6ef4ea00c5c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/image-generation.ts", "duplicate_line": 34, "correlation_key": "fp|8c41bbc2ea5d2770fe6da8671f02edf085b3568298b20d0d77bfa6ef4ea00c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/integration-types.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b45dc7536c3c4144674a5acfe6df8882939597fc3310f3cc271deec2b26991c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/bridge-worker.ts", "duplicate_line": 369, "correlation_key": "fp|b45dc7536c3c4144674a5acfe6df8882939597fc3310f3cc271deec2b26991c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/cron-worker.ts"}, "region": {"startLine": 605}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0c67cafe85a70598c11c80aca9071c7167cb79d5291b741d52489bb5408ffdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/panes/ChatPane/helpers.ts", "duplicate_line": 13, "correlation_key": "fp|e0c67cafe85a70598c11c80aca9071c7167cb79d5291b741d52489bb5408ffdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/useWorkspaceBrowser.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff279d4b454deb36ecf73bd4815fa03fa4435f23c9d506b236f95478e80cf3c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/panes/SpaceBrowserDisplayPane.tsx", "duplicate_line": 93, "correlation_key": "fp|ff279d4b454deb36ecf73bd4815fa03fa4435f23c9d506b236f95478e80cf3c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/SpaceBrowserExplorerPane.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb3eacb6e05d9a0193033a4c9717dc8f97e652786009a19d3f161243bf705228", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/onboarding/constants.ts", "duplicate_line": 5, "correlation_key": "fp|fb3eacb6e05d9a0193033a4c9717dc8f97e652786009a19d3f161243bf705228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/MarketplacePane.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5788b9611345878c348d3dacef6fc93c3d2a390b5fbeadee67c4b18f13fbc807", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/marketplace/SimpleMarkdown.tsx", "duplicate_line": 22, "correlation_key": "fp|5788b9611345878c348d3dacef6fc93c3d2a390b5fbeadee67c4b18f13fbc807"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/HtmlPreviewFrame.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e887f55a099f1a0d960ec29f0b199b591f3b8c6fdb71c64426c628be95c9b980", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/layout/new-shell/IssuesBoardPane.tsx", "duplicate_line": 80, "correlation_key": "fp|e887f55a099f1a0d960ec29f0b199b591f3b8c6fdb71c64426c628be95c9b980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/IssueThreadControls.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a07d6c03bfbedb54961afefa78fb521abc95f74880306a04fd88af9d04ab4da4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/layout/new-shell/WorkspaceDashboardPane.tsx", "duplicate_line": 33, "correlation_key": "fp|a07d6c03bfbedb54961afefa78fb521abc95f74880306a04fd88af9d04ab4da4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/IssueThreadControls.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "415b28bb98e1b713ae1da6d3dee469542ec741d40d2034ab142bc2550a036d79", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/onboarding/BrowserProfileStep.tsx", "duplicate_line": 112, "correlation_key": "fp|415b28bb98e1b713ae1da6d3dee469542ec741d40d2034ab142bc2550a036d79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/BrowserProfileImportButton.tsx"}, "region": {"startLine": 473}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23573dde81ae1b7547f634a0baaceeaa1267e188c7f68b2eb925973c2c415133", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/marketplace/AppCatalogCard.tsx", "duplicate_line": 176, "correlation_key": "fp|23573dde81ae1b7547f634a0baaceeaa1267e188c7f68b2eb925973c2c415133"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/AppSurfacePane.tsx"}, "region": {"startLine": 453}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f16a2a48b1a0321bf9e3cbc6676b1221c416fb72cdc9ceb9135e2dbd52d95e04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/onboarding/ConnectIntegrationsStep.tsx", "duplicate_line": 71, "correlation_key": "fp|f16a2a48b1a0321bf9e3cbc6676b1221c416fb72cdc9ceb9135e2dbd52d95e04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/onboarding/IntegrationsList.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe0dd0c52b81f6d0c16fd1e9fd90c16fba1d4e1c6efb247a4d78ce78d5a2ba22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/layout/new-shell/IssuesBoardPane.tsx", "duplicate_line": 62, "correlation_key": "fp|fe0dd0c52b81f6d0c16fd1e9fd90c16fba1d4e1c6efb247a4d78ce78d5a2ba22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/WorkspaceDashboardPane.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37f96f295a21483d212b280dd6a83b82e2bea1feb7a5f3234f887529adc7c5c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/layout/new-shell/NewTabDialog.tsx", "duplicate_line": 100, "correlation_key": "fp|37f96f295a21483d212b280dd6a83b82e2bea1feb7a5f3234f887529adc7c5c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/SearchDialog.tsx"}, "region": {"startLine": 230}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2038813ccf1acc59c4017890eee7c6aa4930cde1a66e987a3637e918f6521f45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/components/layout/TopTabsBar.tsx", "duplicate_line": 295, "correlation_key": "fp|2038813ccf1acc59c4017890eee7c6aa4930cde1a66e987a3637e918f6521f45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/NewAppShell.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22165, "scanner": "repobility", "fingerprint": "4e07b773a1142a80a12773d6759949ee", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo complete, then propose resuming the unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/pi-guidance.test.mjs"}, "region": {"startLine": 39}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22164, "scanner": "repobility", "fingerprint": "e1f11f2bc492a7ddba9a13ba09f008f5", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo, preserve that todo as unfinished, handle the new request first, and then propose continuing the unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/pi-guidance.test.mjs"}, "region": {"startLine": 35}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22163, "scanner": "repobility", "fingerprint": "450462eb19454cc8f80498508036e151", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo, keep the restored todo marked unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harness-host/src/pi-guidance.test.mjs"}, "region": {"startLine": 31}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22162, "scanner": "repobility", "fingerprint": "3cb7a12a0e60583fa0cdaf43469e2018", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo complete, then propose resuming the unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/todo-policy.ts"}, "region": {"startLine": 1090}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22161, "scanner": "repobility", "fingerprint": "29cdfde11f3cddb96085c02b72ca2825", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo, preserve that todo as unfinished, handle the new request first, and then propose continuing the unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/todo-policy.ts"}, "region": {"startLine": 1051}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22160, "scanner": "repobility", "fingerprint": "f4af6061e22e7758f665e2c2403341a7", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "todo marked unfinish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/todo-policy.ts"}, "region": {"startLine": 389}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5920, "scanner": "repobility-threat-engine", "fingerprint": "b103e9e8cb6e0fdf0cc484eda9969d91db04b3f8ce276252c980ca9a276e08ee", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|233|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-test-server.ts"}, "region": {"startLine": 233}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5919, "scanner": "repobility-threat-engine", "fingerprint": "06e7ef079a67c1c255d0c4a840d2d7d164f7470ae4f9097d8ab073c50ccc6a7e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|235|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/browser-pane/popups.ts"}, "region": {"startLine": 235}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5901, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce82c1d4cb25bdb66bd14f6a026a7c91c192fb15db68f79f5574e6de24ab686e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "runtime/api-server/src/background-task-model.ts", "duplicate_line": 50, "correlation_key": "fp|ce82c1d4cb25bdb66bd14f6a026a7c91c192fb15db68f79f5574e6de24ab686e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/image-generation-model.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 50747, "scanner": "repobility-threat-engine", "fingerprint": "226b3c6e7e2f083590ebbfcfc26740f8c7357cb3a9512b17765ba5ccefc65a68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|226b3c6e7e2f083590ebbfcfc26740f8c7357cb3a9512b17765ba5ccefc65a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/package_linux_runtime.sh"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 50740, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 50736, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 50732, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 50728, "scanner": "repobility-threat-engine", "fingerprint": "e3cdb9865aaf39ef1da25565790829685f320ff300bf8f437ba4016c2bb34b26", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3cdb9865aaf39ef1da25565790829685f320ff300bf8f437ba4016c2bb34b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/docs/app/root.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 50727, "scanner": "repobility-threat-engine", "fingerprint": "32600035bccd2fd2202fc618b20d9e438fb184f38ed88082831be634a9992c24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32600035bccd2fd2202fc618b20d9e438fb184f38ed88082831be634a9992c24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/ui/src/primitives/chart.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 50726, "scanner": "repobility-threat-engine", "fingerprint": "ecf63eb89746f02df611a5211c66d94d17557fd5133cae56ba37ac371f2d4967", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ecf63eb89746f02df611a5211c66d94d17557fd5133cae56ba37ac371f2d4967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/marketplace/CodeBlock.tsx"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50725, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50724, "scanner": "repobility-threat-engine", "fingerprint": "7001cd514f6a7b740e6f7b87ab9ece50fd77a5a90e5fcfa7c3ede70fe8a58b68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7001cd514f6a7b740e6f7b87ab9ece50fd77a5a90e5fcfa7c3ede70fe8a58b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50723, "scanner": "repobility-threat-engine", "fingerprint": "df38e121b571bd45f79980cb5d463718a12d9107486bb1bee243c787e8df630f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df38e121b571bd45f79980cb5d463718a12d9107486bb1bee243c787e8df630f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/marketplace/KitEmoji.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50722, "scanner": "repobility-threat-engine", "fingerprint": "6947c8b30b4ddc1e495190bc9ef8f67c105d669d143bf3e3557c127d0da75838", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6947c8b30b4ddc1e495190bc9ef8f67c105d669d143bf3e3557c127d0da75838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/NewTabDialog.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50721, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 50720, "scanner": "repobility-threat-engine", "fingerprint": "c40de4b1c246e05540e1917015e4b75bfabe9cadf640e6a16f119ff7662d259b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c40de4b1c246e05540e1917015e4b75bfabe9cadf640e6a16f119ff7662d259b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/onboarding/WorkspaceWizardLayout.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 50719, "scanner": "repobility-threat-engine", "fingerprint": "83d43ee61507accdc29726d6a714fe7c7c3049c5f42759d26cc81682d09246f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83d43ee61507accdc29726d6a714fe7c7c3049c5f42759d26cc81682d09246f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/marketplace/MarketplaceGallery.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 50718, "scanner": "repobility-threat-engine", "fingerprint": "0baa6eab24f6a91f7030ad16b4d744a43813dc06275d1e141936bc3b4080934e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0baa6eab24f6a91f7030ad16b4d744a43813dc06275d1e141936bc3b4080934e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/BootSplash.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50717, "scanner": "repobility-threat-engine", "fingerprint": "d05fdfd303acef4bf522377f189862ed32d19e441b16e020faac46615cd2aacc", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d05fdfd303acef4bf522377f189862ed32d19e441b16e020faac46615cd2aacc"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 50713, "scanner": "repobility-threat-engine", "fingerprint": "6f24ae03479eaf66c5fcfabaaf4635274ba539865e41a1e75746fbba02a1dbd6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6f24ae03479eaf66c5fcfabaaf4635274ba539865e41a1e75746fbba02a1dbd6", "aggregated_count": 32}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50712, "scanner": "repobility-threat-engine", "fingerprint": "67cbfedff503f84f42b760c8018ebafbae8e9a2774b0f008f71f257e81c3135c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67cbfedff503f84f42b760c8018ebafbae8e9a2774b0f008f71f257e81c3135c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/ensure-runtime-bundle.mjs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50711, "scanner": "repobility-threat-engine", "fingerprint": "a1ba289b8b2a1dfef3d21873129f45771394cd49ac33f17742bcf29c796e9a32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1ba289b8b2a1dfef3d21873129f45771394cd49ac33f17742bcf29c796e9a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/ensure-editor.mjs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50710, "scanner": "repobility-threat-engine", "fingerprint": "694914297c5816287a18e84fc2e24353994479ff46bc62fb1fb69af385489125", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|694914297c5816287a18e84fc2e24353994479ff46bc62fb1fb69af385489125"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/ensure-app-sdk.mjs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50709, "scanner": "repobility-threat-engine", "fingerprint": "5e21b0152c1c14f993e28474dc5acc89c59f6bdf6789662c2d53436dae5e8408", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e21b0152c1c14f993e28474dc5acc89c59f6bdf6789662c2d53436dae5e8408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/check-runtime-status.sh"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50708, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50707, "scanner": "repobility-threat-engine", "fingerprint": "96269c5115ddea06e0f4904034e3aa99975f42e1ebb44ffaa3a4f6977995a77e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(`Missing env: COMPOSIO_API_KEY=<redacted>", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.error missing env: composio_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/embedded-skills/app-builder-sdk/reference/telegram-messaging/e2e.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50706, "scanner": "repobility-threat-engine", "fingerprint": "8ee3eaa8676beab8aa6a4428061f697a0d02d7317d4ae90a04021e4cae45929d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(`Missing env. Set SLACK_BEARER_TOKEN and TEST_SLACK_CHANNEL.`)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|console.error missing env. set slack_bearer_token and test_slack_channel."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/harnesses/src/embedded-skills/app-builder-sdk/reference/slack-messaging/e2e-bearer.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50705, "scanner": "repobility-threat-engine", "fingerprint": "60d8cb2eb7e83807193bdc133f28cca2467bdafc6277bda125f9276d97554fff", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(f'  auth_token:           <redacted>\"SET\\\" if h.get(\\\"auth_token\\\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|print f auth_token: redacted set if h.get auth_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/check-runtime-status.sh"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50704, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 50699, "scanner": "repobility-threat-engine", "fingerprint": "cd42195ae1e0779f0f1aa7d5ec03a60372dca0e9131a17421bcd2b02a7181ba8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd42195ae1e0779f0f1aa7d5ec03a60372dca0e9131a17421bcd2b02a7181ba8", "aggregated_count": 22}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50698, "scanner": "repobility-threat-engine", "fingerprint": "540e0175587bc05e121e6c66289a9ef0fcefc942887879002af19bd268d36ada", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|540e0175587bc05e121e6c66289a9ef0fcefc942887879002af19bd268d36ada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/AddIntegrationDialog.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50697, "scanner": "repobility-threat-engine", "fingerprint": "3b147e8cbcc0972339bab5787e227a98062fd1a97b39ec61bd26f2df73cf82f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b147e8cbcc0972339bab5787e227a98062fd1a97b39ec61bd26f2df73cf82f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/workspace-git.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50696, "scanner": "repobility-threat-engine", "fingerprint": "d8765de5def16b4c4553581ba60a60d435ecad745ea1f943c337e8ee2b7bbc83", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8765de5def16b4c4553581ba60a60d435ecad745ea1f943c337e8ee2b7bbc83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/browser-pane/agent-session-lifecycle.ts"}, "region": {"startLine": 318}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 50695, "scanner": "repobility-threat-engine", "fingerprint": "03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 5929, "scanner": "repobility-docker", "fingerprint": "da58004986afed33afc0256bf4e21c893c9b786c4649981b932b8da192ec7a47", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${TOOLCHAIN_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|da58004986afed33afc0256bf4e21c893c9b786c4649981b932b8da192ec7a47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 5928, "scanner": "repobility-threat-engine", "fingerprint": "c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 5924, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 5917, "scanner": "repobility-threat-engine", "fingerprint": "ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5916, "scanner": "repobility-threat-engine", "fingerprint": "1cad02fc4cc2e8446ea76df1862b9670deba33d7a91ad5f8661c4bb8adf47e43", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|115|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/browser-pane/downloads.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5915, "scanner": "repobility-threat-engine", "fingerprint": "613746eb3f8eb55a6818aa79aad57d5c0df3f10ee8eda3ce89dad6711bb4d833", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|598|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/browser-pane/handlers.ts"}, "region": {"startLine": 598}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5914, "scanner": "repobility-threat-engine", "fingerprint": "3d3aae1acd3a84d7fb1495e3f60aaddd1397788ce5089e7e55437b794023175f", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1055|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/browser-pane/tab-state.ts"}, "region": {"startLine": 1055}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50865, "scanner": "repobility-supply-chain", "fingerprint": "c74329b6c4d0c6efcbb63a0c0779d5a58f53faf4b6dd9b3c1cadb1bf9b5e37bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c74329b6c4d0c6efcbb63a0c0779d5a58f53faf4b6dd9b3c1cadb1bf9b5e37bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-linux-runtime.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50839, "scanner": "repobility-supply-chain", "fingerprint": "049068303f89948017301e6a53c0853c6c41d1818ecde24c2585d0d8e9e01a51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|049068303f89948017301e6a53c0853c6c41d1818ecde24c2585d0d8e9e01a51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 936}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50838, "scanner": "repobility-supply-chain", "fingerprint": "b79564eb1f148b50ee401b4a4cc35ad0dc2ca72e1af70d67f967d052525d2ae8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b79564eb1f148b50ee401b4a4cc35ad0dc2ca72e1af70d67f967d052525d2ae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 930}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50837, "scanner": "repobility-supply-chain", "fingerprint": "0aeffb33bc7c7e147b033c3a42ba7dfe79a8c4ddf7c7a3f7eacd63cb9c729fce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0aeffb33bc7c7e147b033c3a42ba7dfe79a8c4ddf7c7a3f7eacd63cb9c729fce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 924}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50836, "scanner": "repobility-supply-chain", "fingerprint": "1ff9cef2077bbf6e87fe71093e2cbc9f49e58e108b66390d1cc2f4ce4ebf5c82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ff9cef2077bbf6e87fe71093e2cbc9f49e58e108b66390d1cc2f4ce4ebf5c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 884}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50835, "scanner": "repobility-supply-chain", "fingerprint": "3381c0d76683676000ff76ba4f1c8446a23248061498b82df5a5ef4de5e3e411", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3381c0d76683676000ff76ba4f1c8446a23248061498b82df5a5ef4de5e3e411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 584}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50834, "scanner": "repobility-supply-chain", "fingerprint": "e6097745d6d5f7940f1e8f9a9834f71e8054f64136378e2a9bc30ae6f954985f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6097745d6d5f7940f1e8f9a9834f71e8054f64136378e2a9bc30ae6f954985f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 579}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50833, "scanner": "repobility-supply-chain", "fingerprint": "9344d1d19be9cda84ecd5713493ffa75bed2eb103882c24f4ca9a487d85bd72f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9344d1d19be9cda84ecd5713493ffa75bed2eb103882c24f4ca9a487d85bd72f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 574}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50832, "scanner": "repobility-supply-chain", "fingerprint": "04b9843285a340209ef44b3a391e51be14e6d84c8af7914e0ec3d72a4bac4756", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04b9843285a340209ef44b3a391e51be14e6d84c8af7914e0ec3d72a4bac4756"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 552}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50831, "scanner": "repobility-supply-chain", "fingerprint": "6fec7304b2237b875b7c8fb7309d6aa6ce229d7a5a87e675ec089e86e6be05a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6fec7304b2237b875b7c8fb7309d6aa6ce229d7a5a87e675ec089e86e6be05a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 283}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50830, "scanner": "repobility-supply-chain", "fingerprint": "50d4d74be4de0d9f68e048a0e0a4f56811472c24db99c299c67bbe077d9a4de9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50d4d74be4de0d9f68e048a0e0a4f56811472c24db99c299c67bbe077d9a4de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50829, "scanner": "repobility-supply-chain", "fingerprint": "5c81ec618141c9225fe245b76d9f0dce1a5a4b85a73476993c73d1473519eb98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c81ec618141c9225fe245b76d9f0dce1a5a4b85a73476993c73d1473519eb98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50828, "scanner": "repobility-supply-chain", "fingerprint": "221f3d8d46858365d39ddf5dd5707c97b7bcc76d32dbb212af59b8b32b08e394", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|221f3d8d46858365d39ddf5dd5707c97b7bcc76d32dbb212af59b8b32b08e394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50827, "scanner": "repobility-supply-chain", "fingerprint": "57090ece5526115b3a49cb325f7a494e1689e5ebc9a6f0dcc8a978f3549aeb37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57090ece5526115b3a49cb325f7a494e1689e5ebc9a6f0dcc8a978f3549aeb37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50826, "scanner": "repobility-supply-chain", "fingerprint": "ae70924d1d21e717a6016217891317c196aeac546616ec78d9d949e921938b0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae70924d1d21e717a6016217891317c196aeac546616ec78d9d949e921938b0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50825, "scanner": "repobility-supply-chain", "fingerprint": "c03b443a5207f553641150e070b3502dbf213c5c3c95422f926206ee333e82cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c03b443a5207f553641150e070b3502dbf213c5c3c95422f926206ee333e82cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50824, "scanner": "repobility-supply-chain", "fingerprint": "1375ae35c780edb40082dfbe0d4f998ef3431da77245346cbe90bf7f732a2384", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1375ae35c780edb40082dfbe0d4f998ef3431da77245346cbe90bf7f732a2384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50823, "scanner": "repobility-supply-chain", "fingerprint": "44d6c704a655cd2208f5599f5c03611a2ead9f91684c0cc4e07c8ef31f61a8d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44d6c704a655cd2208f5599f5c03611a2ead9f91684c0cc4e07c8ef31f61a8d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50822, "scanner": "repobility-supply-chain", "fingerprint": "c3cfd420f13437b151ce659ccb3c0bd30e5a7d8f25066d469bf39d1fc5c0071e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3cfd420f13437b151ce659ccb3c0bd30e5a7d8f25066d469bf39d1fc5c0071e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50821, "scanner": "repobility-supply-chain", "fingerprint": "71a2e49866ee9676aeeed0ce9bc4f8f0b38ccf73e1600a34ba75897414540951", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71a2e49866ee9676aeeed0ce9bc4f8f0b38ccf73e1600a34ba75897414540951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50820, "scanner": "repobility-supply-chain", "fingerprint": "bc5518a7a9689ffe28e3b4c4a81a429a122573957ba3670d7c813168f02d689c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc5518a7a9689ffe28e3b4c4a81a429a122573957ba3670d7c813168f02d689c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50819, "scanner": "repobility-supply-chain", "fingerprint": "0ad3fb071b3c2ed7150121533ec5a29fe342e321da28bbd88145ab6ae5098460", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ad3fb071b3c2ed7150121533ec5a29fe342e321da28bbd88145ab6ae5098460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50818, "scanner": "repobility-supply-chain", "fingerprint": "db8bbe4d5582a16c97be81ad1024324264e2422d66dd08d75a529681e4314480", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db8bbe4d5582a16c97be81ad1024324264e2422d66dd08d75a529681e4314480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50817, "scanner": "repobility-supply-chain", "fingerprint": "df11b93fd007bbc204b0a3b834e2d72f3a2b4a0f2ddacb03a6e5ce4e4f05eb28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df11b93fd007bbc204b0a3b834e2d72f3a2b4a0f2ddacb03a6e5ce4e4f05eb28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50816, "scanner": "repobility-supply-chain", "fingerprint": "0b9ea6fdd5f35d9e0311a01102611ac06e2e8e87a2a51b405e9f9e4e1a5d47b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b9ea6fdd5f35d9e0311a01102611ac06e2e8e87a2a51b405e9f9e4e1a5d47b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question has no auth: Express route POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50815, "scanner": "repobility-route-auth", "fingerprint": "8a9563ae8eca1316bd173a8ae4befd90451e03bf6ce521cd9a5ff7d2352dd4e0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8a9563ae8eca1316bd173a8ae4befd90451e03bf6ce521cd9a5ff7d2352dd4e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5832}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-report has no auth: Express route POST /api/v1/capabilities/runtime-tools/onboarding/alignment-report declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50814, "scanner": "repobility-route-auth", "fingerprint": "6216f0cb7a0f50b12f251a2782ec83e2c6c60505fca01ce19505434a9f56c6bb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6216f0cb7a0f50b12f251a2782ec83e2c6c60505fca01ce19505434a9f56c6bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5811}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/memory-clear has no auth: Express route POST /api/v1/integrations/memory-clear declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50813, "scanner": "repobility-route-auth", "fingerprint": "dafcc1f0f700c7c2c17013d681b068e50d227e111f69dfbfbf023b91fbc94c03", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|dafcc1f0f700c7c2c17013d681b068e50d227e111f69dfbfbf023b91fbc94c03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5688}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/context-fetch has no auth: Express route POST /api/v1/integrations/context-fetch declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50812, "scanner": "repobility-route-auth", "fingerprint": "cf60d19003acff48b20eb98be53d014ca8d068dab4d359113a6cb0b100f39648", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cf60d19003acff48b20eb98be53d014ca8d068dab4d359113a6cb0b100f39648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5647}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/composio/finalize has no auth: Express route POST /api/v1/integrations/composio/finalize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50811, "scanner": "repobility-route-auth", "fingerprint": "c8f0a36cb2eb0c8b8b504b6e9383d610fa11ea3a8ef5889132f7a627def6e989", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c8f0a36cb2eb0c8b8b504b6e9383d610fa11ea3a8ef5889132f7a627def6e989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5577}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/oauth/authorize has no auth: Express route POST /api/v1/integrations/oauth/authorize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50810, "scanner": "repobility-route-auth", "fingerprint": "24f25d57057f7514153d12cc1096906c29d5a691032ca25691716a40c0f0c5db", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|24f25d57057f7514153d12cc1096906c29d5a691032ca25691716a40c0f0c5db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5563}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/v1/integrations/oauth/configs/:providerId has no auth: Express route DELETE /api/v1/integrations/oauth/configs/:providerId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50809, "scanner": "repobility-route-auth", "fingerprint": "82190eb325856d89e49c760fa59fc1374f29372dafff0fea724714f572043897", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|82190eb325856d89e49c760fa59fc1374f29372dafff0fea724714f572043897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5557}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/v1/integrations/oauth/configs/:providerId has no auth: Express route PUT /api/v1/integrations/oauth/configs/:providerId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50808, "scanner": "repobility-route-auth", "fingerprint": "7c3489b7d46cbe3a6616b811ae19cd99e2a143d5594f6ca41b287bf785b443f2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7c3489b7d46cbe3a6616b811ae19cd99e2a143d5594f6ca41b287bf785b443f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5532}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/broker/proxy has no auth: Express route POST /api/v1/integrations/broker/proxy declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50807, "scanner": "repobility-route-auth", "fingerprint": "599b067b79e250e7ba432d0347f1524b65b74ad658d02eb0eb2b15b62f7a0e29", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|599b067b79e250e7ba432d0347f1524b65b74ad658d02eb0eb2b15b62f7a0e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5490}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/broker/token has no auth: Express route POST /api/v1/integrations/broker/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50806, "scanner": "repobility-route-auth", "fingerprint": "0716987b72a481e3f3a1cc237f4b283b5e25f96839fe2ce6ba058192663d3d2d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0716987b72a481e3f3a1cc237f4b283b5e25f96839fe2ce6ba058192663d3d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5471}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/v1/integrations/bindings/:bindingId has no auth: Express route DELETE /api/v1/integrations/bindings/:bindingId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50805, "scanner": "repobility-route-auth", "fingerprint": "1a823c5bf2b2728e207c0cdc5df24ab4ad16829c941f975583e1431bc9876085", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1a823c5bf2b2728e207c0cdc5df24ab4ad16829c941f975583e1431bc9876085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5430}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/v1/integrations/bindings/:workspaceId/:targetType/:targetId/:integrationKey has no auth: Express route PUT /api/v1/integrations/bindings/:workspaceId/:targetType/:targetId/:integrationKey declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50804, "scanner": "repobility-route-auth", "fingerprint": "26e4e79d178c6b7603e9f2a3fc7aaacd156aa233675c530432981ba4ea71ff7d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|26e4e79d178c6b7603e9f2a3fc7aaacd156aa233675c530432981ba4ea71ff7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5372}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/v1/integrations/connections/:connectionId has no auth: Express route DELETE /api/v1/integrations/connections/:connectionId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50803, "scanner": "repobility-route-auth", "fingerprint": "212281727bf07616e2df339e7570e5b92101ab078049a4f9b3eb1cbda47845a7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|212281727bf07616e2df339e7570e5b92101ab078049a4f9b3eb1cbda47845a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5342}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/connections/:connectionId/merge has no auth: Express route POST /api/v1/integrations/connections/:connectionId/merge declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50802, "scanner": "repobility-route-auth", "fingerprint": "e1d438d6925340432ec462d259ca348b6ca502c5c2ca55328defc926d47cdeab", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e1d438d6925340432ec462d259ca348b6ca502c5c2ca55328defc926d47cdeab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5316}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/v1/integrations/connections/:connectionId has no auth: Express route PATCH /api/v1/integrations/connections/:connectionId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50801, "scanner": "repobility-route-auth", "fingerprint": "29154babb5c38b72719d9e0331ff191927fbac988ca64c7ce9997291fd8acf20", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|29154babb5c38b72719d9e0331ff191927fbac988ca64c7ce9997291fd8acf20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5264}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/integrations/connections has no auth: Express route POST /api/v1/integrations/connections declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50800, "scanner": "repobility-route-auth", "fingerprint": "1963268d2f929e1871308c18a58502e03e2cf34786101fd7507f6d7fa53bf688", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1963268d2f929e1871308c18a58502e03e2cf34786101fd7507f6d7fa53bf688"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5238}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/close has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/close declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50799, "scanner": "repobility-route-auth", "fingerprint": "709dafa91750834794f6e359fec672c2b15c50c79948f3aec143a7f4e19780a1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|709dafa91750834794f6e359fec672c2b15c50c79948f3aec143a7f4e19780a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5117}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/signal has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/signal declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50798, "scanner": "repobility-route-auth", "fingerprint": "1a9ee37f76f53c1a2fb8d91692574e5ae8f49043c9ac6bccaf5e3ef3bd44f410", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1a9ee37f76f53c1a2fb8d91692574e5ae8f49043c9ac6bccaf5e3ef3bd44f410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5094}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/resize has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/resize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50797, "scanner": "repobility-route-auth", "fingerprint": "687fc3c4324deb888b21804a3331233a64ce6303d1d6024bf414eb100ec1b3fd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|687fc3c4324deb888b21804a3331233a64ce6303d1d6024bf414eb100ec1b3fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5070}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/input has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/input declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50796, "scanner": "repobility-route-auth", "fingerprint": "bd14473b7b78d0a63d7f06478367839e5dcf3d0d2b62b720aa0a6dcbee698673", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bd14473b7b78d0a63d7f06478367839e5dcf3d0d2b62b720aa0a6dcbee698673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 5047}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/terminal-sessions has no auth: Express route POST /api/v1/terminal-sessions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50795, "scanner": "repobility-route-auth", "fingerprint": "5c06b1a0ef47bb3445957f12eee3ddbde211070c7cbc450bc6d3d2c24c8ded9f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5c06b1a0ef47bb3445957f12eee3ddbde211070c7cbc450bc6d3d2c24c8ded9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 4958}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/capabilities/browser/tools/:toolId has no auth: Express route POST /api/v1/capabilities/browser/tools/:toolId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50794, "scanner": "repobility-route-auth", "fingerprint": "1c6850743258b178f781f5f68d59e60e6043f779f29fa7ddbc8f925f60d035a4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1c6850743258b178f781f5f68d59e60e6043f779f29fa7ddbc8f925f60d035a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 4892}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/v1/runtime/profile/auth-fallback has no auth: Express route POST /api/v1/runtime/profile/auth-fallback declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50793, "scanner": "repobility-route-auth", "fingerprint": "0fab7575d2cc4e39c745ba38820256c2efd9d8f1cb576864bb109fcdffa37685", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0fab7575d2cc4e39c745ba38820256c2efd9d8f1cb576864bb109fcdffa37685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 4858}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/v1/runtime/profile has no auth: Express route PUT /api/v1/runtime/profile declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50792, "scanner": "repobility-route-auth", "fingerprint": "a7cec4f9bea4056c1a2dc793290b051d5b084f0fb15299dd3d1a7503f455da89", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a7cec4f9bea4056c1a2dc793290b051d5b084f0fb15299dd3d1a7503f455da89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 4839}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/v1/runtime/config has no auth: Express route PUT /api/v1/runtime/config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50791, "scanner": "repobility-route-auth", "fingerprint": "937f3df158339054578de5ec53364efc48aa04ec8d0566fb53ac71a4c0aa8764", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|937f3df158339054578de5ec53364efc48aa04ec8d0566fb53ac71a4c0aa8764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/app.ts"}, "region": {"startLine": 4818}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 50790, "scanner": "repobility-journey-contract", "fingerprint": "7c77ff12c36f43b08498ea8f59ac0a197be39834469b220a44e811f4c08376db", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3828|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/auth/AuthPanel.tsx"}, "region": {"startLine": 3828}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 50789, "scanner": "repobility-journey-contract", "fingerprint": "3adf2de38a9135ecaff861e2fa3ded1f7dee869ffeaa051b0d6380272a22bb0d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3420|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/auth/AuthPanel.tsx"}, "region": {"startLine": 3420}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 50787, "scanner": "repobility-agent-runtime", "fingerprint": "5d935e7c4b3fed075d7ae1c2305820b353be154cf84776e5e73a702bc28bcff1", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|5d935e7c4b3fed075d7ae1c2305820b353be154cf84776e5e73a702bc28bcff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-writeback-extractor.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50739, "scanner": "repobility-threat-engine", "fingerprint": "6b3303f47aaefa80083b54373f31a6ff836772177b5744c3e4b386f1f04e0ac1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((id) => `${id}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b3303f47aaefa80083b54373f31a6ff836772177b5744c3e4b386f1f04e0ac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50738, "scanner": "repobility-threat-engine", "fingerprint": "7cde20f22457437b04ae9f06ee59ec05303244d66636b1eed003fcd9e9bc1036", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((c) => `${c.table}.${c.column.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7cde20f22457437b04ae9f06ee59ec05303244d66636b1eed003fcd9e9bc1036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/apply-app-schema.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50737, "scanner": "repobility-threat-engine", "fingerprint": "2cae7ce4ba5b37cb4c561311d2951b3e298c487f8e240cd7249f0adb3b997583", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((part) => `${part[0]?.toUpperCase() ?? \"\"}${part.slice(1)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2cae7ce4ba5b37cb4c561311d2951b3e298c487f8e240cd7249f0adb3b997583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/Composer/ThinkingValueSelect.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50735, "scanner": "repobility-threat-engine", "fingerprint": "00d8f90c7244a4756960b5b9b29eee5c5d7db95131d7e6bc2ff42e1a62e5182d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00d8f90c7244a4756960b5b9b29eee5c5d7db95131d7e6bc2ff42e1a62e5182d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/skeletons.tsx"}, "region": {"startLine": 303}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50734, "scanner": "repobility-threat-engine", "fingerprint": "cd1d499f1375461555da4ad593b504cec7faa0b970f6d8f7e3cfb0f65221bf4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd1d499f1375461555da4ad593b504cec7faa0b970f6d8f7e3cfb0f65221bf4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/panes/ChatPane/helpers.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50733, "scanner": "repobility-threat-engine", "fingerprint": "2110005249ff39b825e2b558c1b0eb0e7b2a55fe4c24ece9e0b6a52c15c8eb88", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2110005249ff39b825e2b558c1b0eb0e7b2a55fe4c24ece9e0b6a52c15c8eb88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/marketplace/markdownFenceNormalization.mjs"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50716, "scanner": "repobility-threat-engine", "fingerprint": "ad2471d4486a4e986103b84d8385a91b7086d69bd5af9852fc2a7839df098c1a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(params.workspaceRoot, params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|71|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/session-scratchpad.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50715, "scanner": "repobility-threat-engine", "fingerprint": "3dfa0949082bc2cf1671b8dbe668bf4a546a0ec17e8d71ac57cb7c2e47d1b6fa", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|73|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-prep.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50714, "scanner": "repobility-threat-engine", "fingerprint": "c2b073a5550a6e21eed8847d0c42a1965b29c5c77b25a0a929c8f691e59e7efc", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|170|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/runtime-bundle-state.mjs"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50703, "scanner": "repobility-threat-engine", "fingerprint": "6452b2557facb4789c07a8725658e0485bf3e0145be72d16a1fb83e4dafba715", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nativeAttemptedAtRef.current.delete(notification.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6452b2557facb4789c07a8725658e0485bf3e0145be72d16a1fb83e4dafba715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/components/layout/new-shell/useShellNotifications.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50702, "scanner": "repobility-threat-engine", "fingerprint": "7d663d6b573894291a5873b294ca17e4c408bd375c6462cf87dc9cc0e01490ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "userBrowserInterruptPrompts.delete(workspaceId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d663d6b573894291a5873b294ca17e4c408bd375c6462cf87dc9cc0e01490ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/browser-pane/user-lock.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50701, "scanner": "repobility-threat-engine", "fingerprint": "3a6ac6912e7bf7d14789a54df63b4922f44aa85e432871d00d4edc9d86f1037a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tab.requests.delete(removedRequestId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a6ac6912e7bf7d14789a54df63b4922f44aa85e432871d00d4edc9d86f1037a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/browser-pane/tab-observability.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 50700, "scanner": "repobility-threat-engine", "fingerprint": "973c24b769e515dfe712c30b73761be2692b319221ea4c371fad3ae055957de6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|973c24b769e515dfe712c30b73761be2692b319221ea4c371fad3ae055957de6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/browser-pane/tab-observability.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50694, "scanner": "repobility-threat-engine", "fingerprint": "4c378b631b9d30dacce4e2bb2e3b6c49f47ca5ec909f11e28e2cc1cff2439b3b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c378b631b9d30dacce4e2bb2e3b6c49f47ca5ec909f11e28e2cc1cff2439b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/bff-fetch.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50693, "scanner": "repobility-threat-engine", "fingerprint": "0cc873074801c320d60f40f79add77073cd7f2c9ebd137b6000d352e7a4dc644", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0cc873074801c320d60f40f79add77073cd7f2c9ebd137b6000d352e7a4dc644"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron/authPopupPreload.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50692, "scanner": "repobility-threat-engine", "fingerprint": "ab8cbaecae838969797202eff814571b6be9009a2f5886204033ac104daef093", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n        p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab8cbaecae838969797202eff814571b6be9009a2f5886204033ac104daef093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron-builder.config.cjs"}, "region": {"startLine": 219}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 5936, "scanner": "repobility-journey-contract", "fingerprint": "f7a93c9f95f8852809dcd964877196508391d1e01ee106a118be1f8ab0c0d9cc", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3698|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/auth/AuthPanel.tsx"}, "region": {"startLine": 3698}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 5935, "scanner": "repobility-journey-contract", "fingerprint": "12692cea5ea71f4cfff7ab3fcf71078869eab3ea128588ef56696ea9d398a8d3", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3290|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/components/auth/AuthPanel.tsx"}, "region": {"startLine": 3290}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 5934, "scanner": "repobility-journey-contract", "fingerprint": "f90049ba45abe1d57251e3b73d766cf85d2ef8260a7cdb05fbfc01550a2c2420", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|39|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-recall-index.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 5910, "scanner": "repobility-agent-runtime", "fingerprint": "d876eeed8daacc14900b10207f753f009b0873e2610ad28bb152ad3c56c03de8", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|d876eeed8daacc14900b10207f753f009b0873e2610ad28bb152ad3c56c03de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-writeback-extractor.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 5909, "scanner": "repobility-agent-runtime", "fingerprint": "aab06db7bb8c7dc3d90369df9c67c3a3616cd6e681291f1ac2de96da5a96ec93", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|aab06db7bb8c7dc3d90369df9c67c3a3616cd6e681291f1ac2de96da5a96ec93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/evolve-skill-review.ts"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_ENDPOINT_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ENDPOINT_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50864, "scanner": "repobility-supply-chain", "fingerprint": "1bb686d45a64b9543acf1f5a7c02d1bdefa73f6e08df40410e7ee4d31415cc73", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bb686d45a64b9543acf1f5a7c02d1bdefa73f6e08df40410e7ee4d31415cc73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1085}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50863, "scanner": "repobility-supply-chain", "fingerprint": "cf07a19b5ce02e51c1fea2fcb01909682b3e24668afa02122e437b4d084a8f06", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf07a19b5ce02e51c1fea2fcb01909682b3e24668afa02122e437b4d084a8f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1080}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50862, "scanner": "repobility-supply-chain", "fingerprint": "caf4b5bfd6bbcdfd2f5fc1a1d2c4373d7255d56e3fabb5b89ab8f9baf8b7431f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|caf4b5bfd6bbcdfd2f5fc1a1d2c4373d7255d56e3fabb5b89ab8f9baf8b7431f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1079}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HOLABOSS_RELEASES_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HOLABOSS_RELEASES_REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50861, "scanner": "repobility-supply-chain", "fingerprint": "66500c7944dd350a81fd10d7dac901c3e23e21e84ee882c84503101561f3ddd6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66500c7944dd350a81fd10d7dac901c3e23e21e84ee882c84503101561f3ddd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 943}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50860, "scanner": "repobility-supply-chain", "fingerprint": "697b60fe9c9814d95bc0a7543a41acfaba2182dd14fc42cfa26f50e5092506b2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|697b60fe9c9814d95bc0a7543a41acfaba2182dd14fc42cfa26f50e5092506b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 845}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50859, "scanner": "repobility-supply-chain", "fingerprint": "bd719b634ac2aa662011caafcedcbef2c9d641e0f629bd31e10ada7906e92a7c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd719b634ac2aa662011caafcedcbef2c9d641e0f629bd31e10ada7906e92a7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 753}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50858, "scanner": "repobility-supply-chain", "fingerprint": "beb5d85f661199fee011ca680b05dea5e3fa1676fe38bdc238521b67a3f66d8e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|beb5d85f661199fee011ca680b05dea5e3fa1676fe38bdc238521b67a3f66d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 752}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50857, "scanner": "repobility-supply-chain", "fingerprint": "9d6cd957e2da42ac1cdd9f3d0bab3cf4666deaf29ed7cc8f0d54f51143d695ac", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d6cd957e2da42ac1cdd9f3d0bab3cf4666deaf29ed7cc8f0d54f51143d695ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 751}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50856, "scanner": "repobility-supply-chain", "fingerprint": "44cd465abf921d2dbfd1e76a1ca97fac72e9999c5bf82dbeab1c48a8b31d758a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44cd465abf921d2dbfd1e76a1ca97fac72e9999c5bf82dbeab1c48a8b31d758a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 750}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50855, "scanner": "repobility-supply-chain", "fingerprint": "d343fa4caab4830ee2f67e24abeb2e57dcd59c36ab2cb5936050169f8d58f8e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d343fa4caab4830ee2f67e24abeb2e57dcd59c36ab2cb5936050169f8d58f8e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 664}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50854, "scanner": "repobility-supply-chain", "fingerprint": "0d6da404895e01316db2ea701c84a83e215e507b0c0c317be5e893901dc38b62", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d6da404895e01316db2ea701c84a83e215e507b0c0c317be5e893901dc38b62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 663}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50853, "scanner": "repobility-supply-chain", "fingerprint": "76856cb93e9c8aa3ff80441ba4e79a4d71603798e29758656d7f2f227f17c4b5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76856cb93e9c8aa3ff80441ba4e79a4d71603798e29758656d7f2f227f17c4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 662}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50852, "scanner": "repobility-supply-chain", "fingerprint": "ce408c3dc0e7b87c68970adf5a8357463a42379178602704b5f8d6187d677dba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce408c3dc0e7b87c68970adf5a8357463a42379178602704b5f8d6187d677dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 602}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50851, "scanner": "repobility-supply-chain", "fingerprint": "26c2c2d11ccde655309ac8e2eefaf1fa837a81450ffe713ee388a007e1901dca", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26c2c2d11ccde655309ac8e2eefaf1fa837a81450ffe713ee388a007e1901dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 601}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50850, "scanner": "repobility-supply-chain", "fingerprint": "d0935b4cb738c0a9d12c63014dfd39e0b04301acba1afe0a440bbb494e46f338", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0935b4cb738c0a9d12c63014dfd39e0b04301acba1afe0a440bbb494e46f338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 600}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50849, "scanner": "repobility-supply-chain", "fingerprint": "0bb6cf8faf07561857b3f3ac3d0c3ef90f681d543de80e349292f18ac88c0315", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bb6cf8faf07561857b3f3ac3d0c3ef90f681d543de80e349292f18ac88c0315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50848, "scanner": "repobility-supply-chain", "fingerprint": "289989edfda7ee19729973231adf58b9d43c64307773fd88443b1b6a21b1069f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|289989edfda7ee19729973231adf58b9d43c64307773fd88443b1b6a21b1069f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 340}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50847, "scanner": "repobility-supply-chain", "fingerprint": "1c06bf07367fe1b9cead6a8308e937c0f3fb6927186604eeb4df04c3691a1970", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c06bf07367fe1b9cead6a8308e937c0f3fb6927186604eeb4df04c3691a1970"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50846, "scanner": "repobility-supply-chain", "fingerprint": "a46b25ecc48bcb6f089af5dc34a40d53d2adba6e2dd6181a5e0e328b1bf7fd20", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a46b25ecc48bcb6f089af5dc34a40d53d2adba6e2dd6181a5e0e328b1bf7fd20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_TEAM_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_TEAM_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50845, "scanner": "repobility-supply-chain", "fingerprint": "c38d6167ed76aa5d10a556f475a24efd0a0fc86dd99797c1144c46bf120c5944", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c38d6167ed76aa5d10a556f475a24efd0a0fc86dd99797c1144c46bf120c5944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_APP_SPECIFIC_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_APP_SPECIFIC_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50844, "scanner": "repobility-supply-chain", "fingerprint": "1e2218adb68ddcf95828ec9f8c269a16b08a6c575fd6ea999f1726981a99768c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e2218adb68ddcf95828ec9f8c269a16b08a6c575fd6ea999f1726981a99768c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50843, "scanner": "repobility-supply-chain", "fingerprint": "5f40ba5ed3d5aba747a5fc32435b3d5bd496570a041ec04f793cbbaa9ec5697b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f40ba5ed3d5aba747a5fc32435b3d5bd496570a041ec04f793cbbaa9ec5697b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MAC_CERTIFICATE_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MAC_CERTIFICATE_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50842, "scanner": "repobility-supply-chain", "fingerprint": "4bca04516fb3b34cee75993bfa88b65ebe7079e1ad22300d5f8ea129b9d4e5ff", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bca04516fb3b34cee75993bfa88b65ebe7079e1ad22300d5f8ea129b9d4e5ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MAC_CERTIFICATE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MAC_CERTIFICATE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50841, "scanner": "repobility-supply-chain", "fingerprint": "0a0e2731cc878f59e8d5fc493f2e0ce1c23e03cc8f8615b819c3e3b9ca3ff466", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a0e2731cc878f59e8d5fc493f2e0ce1c23e03cc8f8615b819c3e3b9ca3ff466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HOLABOSS_RELEASES_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HOLABOSS_RELEASES_REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50840, "scanner": "repobility-supply-chain", "fingerprint": "ce547bdad1274c54b822d22e3c1f02c4a58fe8813061aa30d7bb5e88fc1c4d06", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce547bdad1274c54b822d22e3c1f02c4a58fe8813061aa30d7bb5e88fc1c4d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 50746, "scanner": "repobility-threat-engine", "fingerprint": "d6fbae857aae236c16c5c07ec9f62be1b8ebabe54d97a8ce72132ea98ab6baf8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(process", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6fbae857aae236c16c5c07ec9f62be1b8ebabe54d97a8ce72132ea98ab6baf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/deploy/build_runtime_root.sh"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 50744, "scanner": "repobility-threat-engine", "fingerprint": "2e89b46c4808dcad25e6b7238a893f48001724d6ef9338f4e54e857275f12c1c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e89b46c4808dcad25e6b7238a893f48001724d6ef9338f4e54e857275f12c1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 50743, "scanner": "repobility-threat-engine", "fingerprint": "7b0fe780be7501e8db531707f2ce290afc02117ce4d6474bb9753e8561ffbfd0", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|48|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 50742, "scanner": "repobility-threat-engine", "fingerprint": "90d42ae67b197001699a4922b95c7103c7c5c38c83c6246d59199b73e8320c6a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(raw)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90d42ae67b197001699a4922b95c7103c7c5c38c83c6246d59199b73e8320c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/composio-tool-registry.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15873, "scanner": "repobility", "fingerprint": "1f6d27cdb0c97ee3fe21726fafb38193", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template([\n    \"process.stdout.write(JSON.stringify({ session_id: 'session-1', input_id: 'input", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.test.ts"}, "region": {"startLine": 329}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15872, "scanner": "repobility", "fingerprint": "211c071aa514783c4af1d367a8fc8183", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template([\n    \"const request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.test.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15871, "scanner": "repobility", "fingerprint": "72f904ff705c321624afe2ff26644191", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template([\n    \"const request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.test.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15870, "scanner": "repobility", "fingerprint": "e48fd23ace5919696d2a65cda1dcea11", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template([\n    \"const request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/runner-worker.test.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15815, "scanner": "repobility", "fingerprint": "d6fcda98eb594fec88bb1b68beb367ce", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-runtime-plan.ts"}, "region": {"startLine": 799}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15814, "scanner": "repobility", "fingerprint": "b0fd377a7a2128831266cc69f5711ba5", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-runtime-plan.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15813, "scanner": "repobility", "fingerprint": "8c5b145d9bdfda06155669727c13671b", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/memory-recall-manifest.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15812, "scanner": "repobility", "fingerprint": "5528c5af8a29aecda26e36ae50d321aa", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/proactive-context.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15811, "scanner": "repobility", "fingerprint": "036a3b02d79e587d9317dc7a26637f89", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-skills.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15810, "scanner": "repobility", "fingerprint": "fa6d498d44d9abc2d9633aab9f5b251d", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-apps.ts"}, "region": {"startLine": 391}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15809, "scanner": "repobility", "fingerprint": "02a754ac40d99ad733ce1c754b4aff11", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-apps.ts"}, "region": {"startLine": 342}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15808, "scanner": "repobility", "fingerprint": "8450150b61b91f341f29b9326adca170", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-apps.ts"}, "region": {"startLine": 231}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15807, "scanner": "repobility", "fingerprint": "d0ab18c39db4894ff774d5a7c9262723", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-apps.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "DSER001", "level": "error", "message": {"text": "Insecure deserialization \u2014 pickle/yaml/marshal"}, "properties": {"repobilityId": 15806, "scanner": "repobility", "fingerprint": "ca12e4cca72542e9b4ee5c1b5cdf5d27", "category": "deserialization", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "yaml.load(", "aljefra_cwe": ["CWE-502"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "unsafe-deserialization-pickle"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/api-server/src/workspace-apps.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 5933, "scanner": "repobility-journey-contract", "fingerprint": "ba33cfa67deed40ec8a84da838cc402205fc57138e8b6d4fa5d333a5c32a7f82", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|desktop/electron/main.ts|8825|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/electron/main.ts"}, "region": {"startLine": 8825}}}]}]}]}