{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `on_ready` has cognitive complexity 10 (SonarSource scale). Cognitive comp", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `on_ready` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`", "shortDescription": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`"}, "fullDescription": {"text": "`uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.write_patrons` used but never assigned in __init__", "shortDescription": {"text": "`self.write_patrons` used but never assigned in __init__"}, "fullDescription": {"text": "Method `on_ready` of class `TukuiCommunityBot` reads `self.write_patrons`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1382"}, "properties": {"repository": "tukui-org/ElvUI", "repoUrl": "https://github.com/tukui-org/ElvUI", "branch": "main"}, "results": [{"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 141280, "scanner": "repobility-threat-engine", "fingerprint": "29a24153b711cd08af839738830487b63db833c2e9e0de9752aab0b7318be0b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29a24153b711cd08af839738830487b63db833c2e9e0de9752aab0b7318be0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ElvUI/Game/Shared/Defaults/Private.lua"}, "region": {"startLine": 117}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `on_ready` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=3, if=1, nested_bonus=6."}, "properties": {"repobilityId": 141279, "scanner": "repobility-threat-engine", "fingerprint": "48f05f58dc96acd9f7c0a83d81f550bb00b9288c0cd6320442658dbbfbbd32de", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "on_ready", "breakdown": {"if": 1, "for": 3, "nested_bonus": 6}, "complexity": 10, "correlation_key": "fp|48f05f58dc96acd9f7c0a83d81f550bb00b9288c0cd6320442658dbbfbbd32de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/PatreonUpdate.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 141282, "scanner": "repobility-threat-engine", "fingerprint": "0466b1c2518fbc5adc35250f22f405df0e3dfc94a6eca777e8a0b9d71ebcc383", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0466b1c2518fbc5adc35250f22f405df0e3dfc94a6eca777e8a0b9d71ebcc383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ElvUI_Libraries/Game/Shared/Ace3/AceConfig-3.0/AceConfig-3.0.lua"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 141281, "scanner": "repobility-threat-engine", "fingerprint": "930e4f4c91ba8ab64e5ecd678ed0ad95258fd6dea230c4d114d1158d323ae8ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|930e4f4c91ba8ab64e5ecd678ed0ad95258fd6dea230c4d114d1158d323ae8ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ElvUI/Game/Shared/Defaults/Private.lua"}, "region": {"startLine": 117}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 141267, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 141278, "scanner": "repobility-supply-chain", "fingerprint": "8c5118b5f9542f58c8436cb54ee8ad4bfe43b8048177c3602b4edf84ad839ae4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c5118b5f9542f58c8436cb54ee8ad4bfe43b8048177c3602b4edf84ad839ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/patreon.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 141277, "scanner": "repobility-supply-chain", "fingerprint": "143c19e8365f75f39e3c38a795c71e0a558107e6cfa383ec4c2abd71f17aa662", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|143c19e8365f75f39e3c38a795c71e0a558107e6cfa383ec4c2abd71f17aa662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/patreon.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 141276, "scanner": "repobility-supply-chain", "fingerprint": "3b9835b78d43661cd90551afac4d83e4c4a677a6c91a2a19d0bc6d09c11567d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b9835b78d43661cd90551afac4d83e4c4a677a6c91a2a19d0bc6d09c11567d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/patreon.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 141275, "scanner": "repobility-supply-chain", "fingerprint": "1854c545c28ce8402aeebcd431bd190f95fcac58b76c9c193cdef2d5a7314726", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1854c545c28ce8402aeebcd431bd190f95fcac58b76c9c193cdef2d5a7314726"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/patreon.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `BigWigsMods/packager` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 141274, "scanner": "repobility-supply-chain", "fingerprint": "ef9826c22b92092904d50797d8c1d1561e6c6c3f24194c0d008e7fd0d28b5033", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef9826c22b92092904d50797d8c1d1561e6c6c3f24194c0d008e7fd0d28b5033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 141273, "scanner": "repobility-supply-chain", "fingerprint": "785f5132ddb07de263e0233d6a7c86920c64506168213cc426f9468769a320b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|785f5132ddb07de263e0233d6a7c86920c64506168213cc426f9468769a320b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `BigWigsMods/packager` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 141272, "scanner": "repobility-supply-chain", "fingerprint": "63e6847350da408119a5fee0e7234119f866281756d3374c659506a04e3b953d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63e6847350da408119a5fee0e7234119f866281756d3374c659506a04e3b953d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 141271, "scanner": "repobility-supply-chain", "fingerprint": "edddba0ed0deb9e460d8d45304fb304e628c064815f255579d7485ad181d789e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edddba0ed0deb9e460d8d45304fb304e628c064815f255579d7485ad181d789e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.write_patrons` used but never assigned in __init__"}, "properties": {"repobilityId": 141270, "scanner": "repobility-ast-engine", "fingerprint": "0abeec513f691435c759fe0c9374a52f2807f20c2f50079dd5ddb72d2e04e5e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0abeec513f691435c759fe0c9374a52f2807f20c2f50079dd5ddb72d2e04e5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/PatreonUpdate.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wrap_patrons` used but never assigned in __init__"}, "properties": {"repobilityId": 141269, "scanner": "repobility-ast-engine", "fingerprint": "0bdb7df6c299af5c80912349c0516f655f2db8c26fe527a27509f7c39ace392e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bdb7df6c299af5c80912349c0516f655f2db8c26fe527a27509f7c39ace392e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/PatreonUpdate.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.clean_patrons` used but never assigned in __init__"}, "properties": {"repobilityId": 141268, "scanner": "repobility-ast-engine", "fingerprint": "bb5fc9b9bb532d9e924e9b4c4573a6be9782bbc0faea4731c759a028dfa19c12", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb5fc9b9bb532d9e924e9b4c4573a6be9782bbc0faea4731c759a028dfa19c12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/PatreonUpdate.py"}, "region": {"startLine": 50}}}]}]}]}