{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/567"}, "properties": {"repository": "mxyxyz9/Tabs-ide", "repoUrl": "https://github.com/mxyxyz9/Tabs-ide.git", "branch": "beta"}, "results": [{"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 38998, "scanner": "repobility-threat-engine", "fingerprint": "3023e8c197042cc3b4af358427c62aeed8d0fa53ad17fb40df1407a13e4ad51c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|apps/web/src/wsnativeapi.ts|177|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/wsNativeApi.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 38997, "scanner": "repobility-threat-engine", "fingerprint": "528252cd5aca0f49f12e21cc892f303bd8081a00c6866dd750d413e61c5fb084", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|528252cd5aca0f49f12e21cc892f303bd8081a00c6866dd750d413e61c5fb084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/KeybindingsToast.browser.tsx"}, "region": {"startLine": 385}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 38987, "scanner": "repobility-threat-engine", "fingerprint": "e517f8ae1486cd191abdcae60367c9b8ded639601bd775463403c67fe2e4e981", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/chat/userMessageTerminalContexts.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 38986, "scanner": "repobility-threat-engine", "fingerprint": "4a0c9c68791ad9b18feec1f8184a70d3d17b42ae3c1a348070840643f2e83437", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|121|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/provider/codexCliVersion.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 38985, "scanner": "repobility-threat-engine", "fingerprint": "88c8d4eadb8300e39801884584fc42acf0cb94eaceec853e89bd5cf120215b5f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|35|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/imageMime.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 38963, "scanner": "repobility-agent-runtime", "fingerprint": "83ac8327e3b6123716ab387a35237a59d614378ce8c1eb70a7ae66415a81b1d1", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|83ac8327e3b6123716ab387a35237a59d614378ce8c1eb70a7ae66415a81b1d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/store.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 38962, "scanner": "repobility-agent-runtime", "fingerprint": "a9504b03b4b0f5e18c31214900b6d3690aa79e3805b05d737d00d0e1bd4a8c71", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a9504b03b4b0f5e18c31214900b6d3690aa79e3805b05d737d00d0e1bd4a8c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/provider/Layers/CodexAdapter.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38936, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fb82e4ea19cddafdf53dc4ff191de9c3219efc85566979e35a4c90454431ace", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/provider/Layers/ClaudeProvider.ts", "duplicate_line": 90, "correlation_key": "fp|2fb82e4ea19cddafdf53dc4ff191de9c3219efc85566979e35a4c90454431ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/providerModels.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38935, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84220fcf2011ede81ffd0e5855ce63e61d3d50a9f9f700fae4b57d7e3338c099", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/components/DiffPanel.tsx", "duplicate_line": 110, "correlation_key": "fp|84220fcf2011ede81ffd0e5855ce63e61d3d50a9f9f700fae4b57d7e3338c099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/patchParsing.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38934, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45376acd33af8e008ada9d9ea65c1a853d5c30342cd884ca4b91a61a6c1d6c25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/serverSettings.ts", "duplicate_line": 82, "correlation_key": "fp|45376acd33af8e008ada9d9ea65c1a853d5c30342cd884ca4b91a61a6c1d6c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/hooks/useSettings.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38933, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b04b985176efeb0c8371232e52e3af34c01a0b585576dd830ce3490c335fd58b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/components/ui/autocomplete.tsx", "duplicate_line": 16, "correlation_key": "fp|b04b985176efeb0c8371232e52e3af34c01a0b585576dd830ce3490c335fd58b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/combobox.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38932, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93bee863055eccea1f53ef64b6ea2af07548603f56e3306465273ead105e1d7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/provider/Layers/ClaudeProvider.ts", "duplicate_line": 29, "correlation_key": "fp|93bee863055eccea1f53ef64b6ea2af07548603f56e3306465273ead105e1d7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/chat/TraitsPicker.browser.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38931, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb7510a4a3acc76624705de5612248182c78603be22f063e9702304e7553f722", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/components/chat/CompactComposerControlsMenu.browser.tsx", "duplicate_line": 91, "correlation_key": "fp|fb7510a4a3acc76624705de5612248182c78603be22f063e9702304e7553f722"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/chat/TraitsPicker.browser.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38930, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbf621be02660c35062bd3cf9dda4c7dcf2ddca6891440bf8f29e7fd882ca267", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/provider/Layers/ClaudeProvider.ts", "duplicate_line": 29, "correlation_key": "fp|fbf621be02660c35062bd3cf9dda4c7dcf2ddca6891440bf8f29e7fd882ca267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/chat/CompactComposerControlsMenu.browser.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38929, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f841769b6a3fc00d3bd84831eee5404cc023826860cbcc73dc7f968e7f17386", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/components/DiffPanel.tsx", "duplicate_line": 41, "correlation_key": "fp|4f841769b6a3fc00d3bd84831eee5404cc023826860cbcc73dc7f968e7f17386"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/PatchViewer.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38928, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2c10fa0d95c0032d7d0856803c4452b69b4f530931deea72b50837a01148d9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/provider/Layers/ClaudeProvider.ts", "duplicate_line": 13, "correlation_key": "fp|b2c10fa0d95c0032d7d0856803c4452b69b4f530931deea72b50837a01148d9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/provider/Layers/CodexProvider.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38927, "scanner": "repobility-ai-code-hygiene", "fingerprint": "432d0524202cfdf58cf6c5235cf97c7c16366d7edefaa2083cb55abc768938dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/persistence/Layers/ProjectionCheckpoints.ts", "duplicate_line": 49, "correlation_key": "fp|432d0524202cfdf58cf6c5235cf97c7c16366d7edefaa2083cb55abc768938dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/ProjectionTurns.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38926, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf4be792921494bdb9e2e45f5fa6771ac663d21fae58b1bb183c15af98a5b1a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/orchestration/Layers/ProjectionSnapshotQuery.ts", "duplicate_line": 153, "correlation_key": "fp|bf4be792921494bdb9e2e45f5fa6771ac663d21fae58b1bb183c15af98a5b1a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/ProjectionThreads.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38925, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cdcdb3cb510866e6572c64fb0957100746dd6cd690f0023e6006b6fcb9c1645", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/orchestration/Layers/ProjectionSnapshotQuery.ts", "duplicate_line": 175, "correlation_key": "fp|6cdcdb3cb510866e6572c64fb0957100746dd6cd690f0023e6006b6fcb9c1645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/ProjectionThreadMessages.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38924, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fcbc9ebd1e4a0ceef117acead5a3113326e8a2192f04e14e964fdc07997744e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/orchestration/Layers/ProjectionSnapshotQuery.ts", "duplicate_line": 212, "correlation_key": "fp|2fcbc9ebd1e4a0ceef117acead5a3113326e8a2192f04e14e964fdc07997744e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/ProjectionThreadActivities.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38923, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38769fb52c4fa7c4b18295bde8e5435838cfb346ba7032fd0bea67161a0d4236", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/orchestration/Layers/ProjectionSnapshotQuery.ts", "duplicate_line": 134, "correlation_key": "fp|38769fb52c4fa7c4b18295bde8e5435838cfb346ba7032fd0bea67161a0d4236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/ProjectionProjects.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38922, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67c30bf3cc3230df2e3c337e5ec2bfd9d2f180c548ce395b78472681663a17e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/server/src/git/Layers/ClaudeTextGeneration.ts", "duplicate_line": 112, "correlation_key": "fp|67c30bf3cc3230df2e3c337e5ec2bfd9d2f180c548ce395b78472681663a17e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/git/Layers/CodexTextGeneration.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 38996, "scanner": "repobility-threat-engine", "fingerprint": "f04c81b7e26be114c603874c1d774946f39bb4a8b7fbbb820e738f6d0850cd4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f04c81b7e26be114c603874c1d774946f39bb4a8b7fbbb820e738f6d0850cd4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ChatMarkdown.tsx"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 38995, "scanner": "repobility-threat-engine", "fingerprint": "2f1dab75eccf6dfeab59ad940a4b9f9fa24d894d01d24cf28643916017b83b94", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/public/mockServiceWorker.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 38994, "scanner": "repobility-threat-engine", "fingerprint": "3bc1b62ca119e2e2e78806ff23e09c975ca279f867c870a47f85cdd1af22da74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bc1b62ca119e2e2e78806ff23e09c975ca279f867c870a47f85cdd1af22da74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/routeTree.gen.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 38993, "scanner": "repobility-threat-engine", "fingerprint": "3377ed7b02ea2a6963c528c83fc38c9080eaa96626009aa5b7639edd47bd5289", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3377ed7b02ea2a6963c528c83fc38c9080eaa96626009aa5b7639edd47bd5289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/NodeSqliteClient.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 38992, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 38988, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 38983, "scanner": "repobility-threat-engine", "fingerprint": "3fe8d33e128ffadbccce73f2652100ccfed6103ba34fda2f795c803e2dd7cf38", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3fe8d33e128ffadbccce73f2652100ccfed6103ba34fda2f795c803e2dd7cf38", "aggregated_count": 8}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 38982, "scanner": "repobility-threat-engine", "fingerprint": "7b78fc37bfd9b103e8a8f0163a20c511a85b6967a3030391f5e64c4ec94e2e0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b78fc37bfd9b103e8a8f0163a20c511a85b6967a3030391f5e64c4ec94e2e0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/persistence/Layers/OrchestrationEventStore.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 38981, "scanner": "repobility-threat-engine", "fingerprint": "b151738d50864b3ee1d89e8f48ec805ec7d3330cfe40be4593f9a6152e19e851", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b151738d50864b3ee1d89e8f48ec805ec7d3330cfe40be4593f9a6152e19e851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/imageMime.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 38980, "scanner": "repobility-threat-engine", "fingerprint": "85ac0ba89235477d981826a3746a1a6042dd9373695d0f4b5fefcdbe7e513d6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85ac0ba89235477d981826a3746a1a6042dd9373695d0f4b5fefcdbe7e513d6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/scripts/cli.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 38979, "scanner": "repobility-threat-engine", "fingerprint": "ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "aggregated_count": 6}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38978, "scanner": "repobility-threat-engine", "fingerprint": "97370a2e30d8e112f9f906c7260fb94997844e5623b069439862f0c0cceaa775", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97370a2e30d8e112f9f906c7260fb94997844e5623b069439862f0c0cceaa775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/hooks/useCopyToClipboard.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38977, "scanner": "repobility-threat-engine", "fingerprint": "07a653ead13e4a21312b0f0921f846b3465c9afd3870e6374232d5a70c0eefaa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07a653ead13e4a21312b0f0921f846b3465c9afd3870e6374232d5a70c0eefaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ChatMarkdown.tsx"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38976, "scanner": "repobility-threat-engine", "fingerprint": "10b4de557f698ebc0a0338f38c5203282f6b17ddc806b26d48e1aa8b401e80c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10b4de557f698ebc0a0338f38c5203282f6b17ddc806b26d48e1aa8b401e80c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/logger.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 38975, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 38971, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 38967, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 38991, "scanner": "repobility-threat-engine", "fingerprint": "39bea712929ace9e90c1f5db9514d354088988a300c769252a5ef4d746512055", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(trimmedHeader", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|39bea712929ace9e90c1f5db9514d354088988a300c769252a5ef4d746512055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/chat/userMessageTerminalContexts.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 38990, "scanner": "repobility-threat-engine", "fingerprint": "ffa657c59df47e96aa1694de4523546079c293db0c07dc93795a86d7ecc42c76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(output", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ffa657c59df47e96aa1694de4523546079c293db0c07dc93795a86d7ecc42c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/provider/codexCliVersion.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 38989, "scanner": "repobility-threat-engine", "fingerprint": "cca4e1658cdfd4ac3bffae912563051a2ae1ce62e18d13b3179cbb4e45c2f959", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(dataUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cca4e1658cdfd4ac3bffae912563051a2ae1ce62e18d13b3179cbb4e45c2f959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/imageMime.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 38984, "scanner": "repobility-threat-engine", "fingerprint": "107ab3f45d12ab79cc222cab980fd7a590ab57ade7d2f4e7c0e8093cbcc5d7df", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|22|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/attachmentPaths.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38974, "scanner": "repobility-threat-engine", "fingerprint": "08b83958d8f838eb18e87e548eaab4771358c406865d75ef9ba6d077154c96d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.dataListeners.delete(callback);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|08b83958d8f838eb18e87e548eaab4771358c406865d75ef9ba6d077154c96d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/terminal/Layers/BunPTY.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38973, "scanner": "repobility-threat-engine", "fingerprint": "53cbb23d0fd27e78ba0cc37076c61d56484f931092d5a269a591244269366f32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.sessions.delete(projectId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53cbb23d0fd27e78ba0cc37076c61d56484f931092d5a269a591244269366f32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/browserHostManager.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38972, "scanner": "repobility-threat-engine", "fingerprint": "8c72f20600eac4143d01ae89c55ef01bc0ed7e169149c8750fef35c96daccfe1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "context.workspaceState.update(\"tabs.activeTool\", activeTool);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c72f20600eac4143d01ae89c55ef01bc0ed7e169149c8750fef35c96daccfe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/resources/code-oss-extensions/tabs-workbench-integration/extension.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 38970, "scanner": "repobility-threat-engine", "fingerprint": "2b8d529a9cc3353db5050c7fe568469edbc0d88b3e36bc40e4ab67b3d64dfbd3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n    (attachment) => `- ${attachment.name} (${attachment.mimeType}, ${attachment.sizeBytes}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b8d529a9cc3353db5050c7fe568469edbc0d88b3e36bc40e4ab67b3d64dfbd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/src/git/Prompts.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 38969, "scanner": "repobility-threat-engine", "fingerprint": "2e6799ec8a17f364ff5fd6bef189c0f22ca47c86f9a81d47a7eae17fc7d9c3e9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((filePath) => `file:${filePath}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e6799ec8a17f364ff5fd6bef189c0f22ca47c86f9a81d47a7eae17fc7d9c3e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/dev-electron.mjs"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 38968, "scanner": "repobility-threat-engine", "fingerprint": "0cdc24b97214fcd94d321e85cd82691dc59bae1baedfd2e5fec61c967cc01856", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            (tool) => `\n              <button class=\"tab\" data-tool=\"${tool}\" data-active=\"${to", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0cdc24b97214fcd94d321e85cd82691dc59bae1baedfd2e5fec61c967cc01856"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/resources/code-oss-extensions/tabs-workbench-integration/extension.js"}, "region": {"startLine": 309}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38966, "scanner": "repobility-threat-engine", "fingerprint": "9f0ff128c703ea0695ff9b152b5e2e3316e6f013d8879a2357fd2efdf715a302", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f0ff128c703ea0695ff9b152b5e2e3316e6f013d8879a2357fd2efdf715a302"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/server/scripts/cli.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38965, "scanner": "repobility-threat-engine", "fingerprint": "605b01bce3faf18cfa279d45d9b5faa7099aa939cec4851e0dd8ede22cc1c265", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|605b01bce3faf18cfa279d45d9b5faa7099aa939cec4851e0dd8ede22cc1c265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/browserHostManager.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38964, "scanner": "repobility-threat-engine", "fingerprint": "10837b64ef5e3a943f7c634b6be4fde371c9f7ad1665cd9c2ddc98773b90b88b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10837b64ef5e3a943f7c634b6be4fde371c9f7ad1665cd9c2ddc98773b90b88b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/resources/code-oss-extensions/tabs-workbench-integration/extension.js"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38961, "scanner": "repobility-supply-chain", "fingerprint": "fa20a534c8ce6cf130591eb315049b249125d726d372886af946d9e28023c3d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa20a534c8ce6cf130591eb315049b249125d726d372886af946d9e28023c3d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 38960, "scanner": "repobility-supply-chain", "fingerprint": "064429b48ba7b2203a9b1226811890a2ad63fffe278425234911cba9f0497558", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|064429b48ba7b2203a9b1226811890a2ad63fffe278425234911cba9f0497558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38959, "scanner": "repobility-supply-chain", "fingerprint": "39a8c2bce8963960ffc321c3b3681bf558d3a01dfd59df5b6106ac0b80ca3ed3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39a8c2bce8963960ffc321c3b3681bf558d3a01dfd59df5b6106ac0b80ca3ed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38958, "scanner": "repobility-supply-chain", "fingerprint": "0588c5d5fe3335b613ced32cb57caa89600e0194a52c8745ef1618e83d74ed0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0588c5d5fe3335b613ced32cb57caa89600e0194a52c8745ef1618e83d74ed0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38957, "scanner": "repobility-supply-chain", "fingerprint": "7df4a969ec77001f74f1372d1d967c60fa7c3c01f1abfc175a3d0bc2207e92b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7df4a969ec77001f74f1372d1d967c60fa7c3c01f1abfc175a3d0bc2207e92b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38956, "scanner": "repobility-supply-chain", "fingerprint": "29c2f183bdb5cf8aeabee0d97eb64f43828b151195245c08adf68388bdca8251", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29c2f183bdb5cf8aeabee0d97eb64f43828b151195245c08adf68388bdca8251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38955, "scanner": "repobility-supply-chain", "fingerprint": "f850ce483b563d98e912c4eb1904e20acc32b08d5df298b5793a466cb858216f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f850ce483b563d98e912c4eb1904e20acc32b08d5df298b5793a466cb858216f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 38954, "scanner": "repobility-supply-chain", "fingerprint": "efd29bab446373194ab7ae6a5f0c3bdaecef87fa27c667ccc367dbf99939b06f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|efd29bab446373194ab7ae6a5f0c3bdaecef87fa27c667ccc367dbf99939b06f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38953, "scanner": "repobility-supply-chain", "fingerprint": "6a45c635e850c2dd95915e2677c2862a548e55d83331d20e8aa290968def6a65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a45c635e850c2dd95915e2677c2862a548e55d83331d20e8aa290968def6a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38952, "scanner": "repobility-supply-chain", "fingerprint": "ece4db9df37a9a66d114c8adc25023e131e4fc8d7c5eb87781812f42d255c7f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ece4db9df37a9a66d114c8adc25023e131e4fc8d7c5eb87781812f42d255c7f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38951, "scanner": "repobility-supply-chain", "fingerprint": "18016303a7bd25b0e7e60ff78082ea6cf4e3fca2612c5bc6fae2628e3e35c3f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18016303a7bd25b0e7e60ff78082ea6cf4e3fca2612c5bc6fae2628e3e35c3f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38950, "scanner": "repobility-supply-chain", "fingerprint": "3c1f5b879cab85c7271915f287b804e4b088db1d3924c0899c3f7955910f5a30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c1f5b879cab85c7271915f287b804e4b088db1d3924c0899c3f7955910f5a30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38949, "scanner": "repobility-supply-chain", "fingerprint": "c28b624dcdcfd19b98ae0021161cd626ff46eb9ad182384faee5f629d23d3a39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c28b624dcdcfd19b98ae0021161cd626ff46eb9ad182384faee5f629d23d3a39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38948, "scanner": "repobility-supply-chain", "fingerprint": "e562f555bf23b32669d04bb6c7a8827fdc47ee2bfcbc7a41e5d85a9c2d9a1760", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e562f555bf23b32669d04bb6c7a8827fdc47ee2bfcbc7a41e5d85a9c2d9a1760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38947, "scanner": "repobility-supply-chain", "fingerprint": "5c7067fb762aef4e951e903fbbd333b22832f1c4be2f6b1ff15931754bcae412", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c7067fb762aef4e951e903fbbd333b22832f1c4be2f6b1ff15931754bcae412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38946, "scanner": "repobility-supply-chain", "fingerprint": "c3334362a8f89cd11edd4ccd3b8ee8609ea045a4b1839cf8645fde9fcab95336", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3334362a8f89cd11edd4ccd3b8ee8609ea045a4b1839cf8645fde9fcab95336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38945, "scanner": "repobility-supply-chain", "fingerprint": "0dd4ec93d47f8629466411e86ba39f6a408c8bff4794f47c2562a4d830be9b60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dd4ec93d47f8629466411e86ba39f6a408c8bff4794f47c2562a4d830be9b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 38944, "scanner": "repobility-supply-chain", "fingerprint": "277a2c08483a0b4481f1794e08410663ffa8fd9a29a59560e911f3c8d2b91063", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|277a2c08483a0b4481f1794e08410663ffa8fd9a29a59560e911f3c8d2b91063"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 38943, "scanner": "repobility-supply-chain", "fingerprint": "a26dccd7f660d5e44e3c0fde6344149fcaf67d39bdc4ffa827cefeb46f976ef1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a26dccd7f660d5e44e3c0fde6344149fcaf67d39bdc4ffa827cefeb46f976ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38942, "scanner": "repobility-supply-chain", "fingerprint": "2986b10a8c905578b24544716d7913144bc18027d6e2ae1d08955457131de2c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2986b10a8c905578b24544716d7913144bc18027d6e2ae1d08955457131de2c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 38941, "scanner": "repobility-supply-chain", "fingerprint": "957313a6c8cef5b2c38c5b5798301271fb52a0835a01cffd4d65e3aba7b8467a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|957313a6c8cef5b2c38c5b5798301271fb52a0835a01cffd4d65e3aba7b8467a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 38940, "scanner": "repobility-supply-chain", "fingerprint": "2ed7136cf478c72416550d8372edeec9eca4a2838e4403cdb080af7159987732", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ed7136cf478c72416550d8372edeec9eca4a2838e4403cdb080af7159987732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 38939, "scanner": "repobility-supply-chain", "fingerprint": "4114f1f17f0058c70f3d37842ad8da132f67284934c8ca306b09a36aeb4f4c4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4114f1f17f0058c70f3d37842ad8da132f67284934c8ca306b09a36aeb4f4c4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-vouch.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mitchellh/vouch/action/check-user` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 38938, "scanner": "repobility-supply-chain", "fingerprint": "13fe21db52c93e17b637fbf210ab44bc6905a16d3c196a6ef996a3c4877f3ec6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13fe21db52c93e17b637fbf210ab44bc6905a16d3c196a6ef996a3c4877f3ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-vouch.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 38937, "scanner": "repobility-supply-chain", "fingerprint": "157288a53bd18b21c2960bd2e4c75ee315940efeb0db4a7bd6e9acc35d225a4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|157288a53bd18b21c2960bd2e4c75ee315940efeb0db4a7bd6e9acc35d225a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-vouch.yml"}, "region": {"startLine": 28}}}]}]}]}