{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.MEILISEARCH_SEARCH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_r", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.MEILISEARCH_SEARCH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MEILISEARCH_SEARCH_KEY }` lets a PR from any fork exf"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1032"}, "properties": {"repository": "strapi/documentation", "repoUrl": "https://github.com/strapi/documentation", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 96651, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 96643, "scanner": "repobility-threat-engine", "fingerprint": "c24b0f12f1fc80820689d460d652bde4a383b8853412bef921b2907719af718c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random()}`);\n  const localStorageKey", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c24b0f12f1fc80820689d460d652bde4a383b8853412bef921b2907719af718c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/InteractiveQueryBuilder/InteractiveQueryBuilder.jsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 96632, "scanner": "repobility-threat-engine", "fingerprint": "2d67da2bbfba09842666097e61462403ccfd50937036866f8f0e546087b6de37", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href={linkHref} download target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|35|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/MermaidWithFallback.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 96631, "scanner": "repobility-threat-engine", "fingerprint": "db8504709d67a1d10d1271477042b366a2217509aa5418a0fe470563e53fdeb3", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(fullUrl || targetUrl, openIn)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|50|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/AiToolbar/actions/openLLM.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 96630, "scanner": "repobility-threat-engine", "fingerprint": "ca1b2d08ad7fb445ad700554888f88bbd1a52f0307928809aa9bd86590351820", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|10|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/AiToolbar/actions/navigate.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96624, "scanner": "repobility-threat-engine", "fingerprint": "8b5eb33b24b6938ca021358f5c4ff8657e2370f26cc80caca9e71d78089310f1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/remove-redirects-vercel-duplicates/compare-redirects-and-vercel.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96623, "scanner": "repobility-threat-engine", "fingerprint": "390726911263325970122fae9ec64f52b6ccbd95e35d68a713a54475997f9437", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|87|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/redirects-organizer/redirects-organizer.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96622, "scanner": "repobility-threat-engine", "fingerprint": "41e48a6ac1e2b4bbb80f03ee7b3eb253730a1ef650ef9910ba552f6d7ffb6800", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|58|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/docusaurus-vercel-converter/docusaurus-vercel-converter.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 96650, "scanner": "repobility-threat-engine", "fingerprint": "6040bc70687133eac37c601f9f8307deca4c24ee8ab4f98ef531405b19cefd0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6040bc70687133eac37c601f9f8307deca4c24ee8ab4f98ef531405b19cefd0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/static/js/particleProfiles.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 96649, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96645, "scanner": "repobility-threat-engine", "fingerprint": "fe5e96233531107794ad9a42538adccb7e9d44aba2323d680d816c01565e134f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe5e96233531107794ad9a42538adccb7e9d44aba2323d680d816c01565e134f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/theme/AskAiIcon.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 96644, "scanner": "repobility-threat-engine", "fingerprint": "1576573d6f8455866edfa444432e841933d623f8bb292e50f25524e6d1fc7e43", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "UI component library ('chart') \u2014 innerHTML usage is controlled by the framework", "evidence": {"match": ".innerHTML = c", "reason": "UI component library ('chart') \u2014 innerHTML usage is controlled by the framework", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|47|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/MermaidWithFallback.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 96642, "scanner": "repobility-threat-engine", "fingerprint": "b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "aggregated_count": 4}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 96641, "scanner": "repobility-threat-engine", "fingerprint": "d72e65d68a726e1c0dfdb3fb72a5c4b7bbea4fe332973fd1c4f975a31719b966", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d72e65d68a726e1c0dfdb3fb72a5c4b7bbea4fe332973fd1c4f975a31719b966"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/pages/home/Home.jsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 96640, "scanner": "repobility-threat-engine", "fingerprint": "64c0b8692e45f720500f39c6c433702b010c24f41ee9373408469a8452ccbe9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64c0b8692e45f720500f39c6c433702b010c24f41ee9373408469a8452ccbe9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/SideBySide/SideBySideContainer/SideBySideContainer.jsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 96639, "scanner": "repobility-threat-engine", "fingerprint": "45910b9b491f0b1d89857df8bf51571be9068d0b0d70208ca7a5f0779189ab9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45910b9b491f0b1d89857df8bf51571be9068d0b0d70208ca7a5f0779189ab9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/InfoIcon/index.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 96638, "scanner": "repobility-threat-engine", "fingerprint": "cdfc76138973b00f3787e621e8bbdd5078d17556341a9703a6758d4e366ed60f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdfc76138973b00f3787e621e8bbdd5078d17556341a9703a6758d4e366ed60f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/theme/DocSidebarItem/Html/index.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 96637, "scanner": "repobility-threat-engine", "fingerprint": "a6ca84824a64a4f35595e2fd0d6c691b95fce8865b0b8e4963c469a24bfae83c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6ca84824a64a4f35595e2fd0d6c691b95fce8865b0b8e4963c469a24bfae83c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/NewsTicker/index.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 96636, "scanner": "repobility-threat-engine", "fingerprint": "b4b7e72c9002447a9ce014218f24649859971790940781463c20515ef8138ed9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4b7e72c9002447a9ce014218f24649859971790940781463c20515ef8138ed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/HomepageFeatures/index.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 96634, "scanner": "repobility-threat-engine", "fingerprint": "7f34b9f650bae05c062d031bb90b85e3fe169e551f61c1a283e6b6f7e27fd8b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f34b9f650bae05c062d031bb90b85e3fe169e551f61c1a283e6b6f7e27fd8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/AiToolbar/config/aiPromptTemplates.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 96633, "scanner": "repobility-threat-engine", "fingerprint": "445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 96625, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 96618, "scanner": "repobility-threat-engine", "fingerprint": "3aac64c61480bc6908de839d2608cd2c410468bd9291b90b703d74d93c0e8e5f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3aac64c61480bc6908de839d2608cd2c410468bd9291b90b703d74d93c0e8e5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/debug-kapa-auth.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 96617, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 96616, "scanner": "repobility-threat-engine", "fingerprint": "7f6b8c3a0fa9230544f2d71dac7337141c22690f70e9d678ec3c9d3337258f13", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`Input file: ${config.inputFile}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|9|console.log input file: config.inputfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/docusaurus-vercel-converter/docusaurus-vercel-converter.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 96615, "scanner": "repobility-threat-engine", "fingerprint": "f891fab767f54a6b627b5461924a57dabf285bc8edad4fdc4d9e603326481d89", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log('No docusaurus.config.js file found')", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|9|console.log no docusaurus.config.js file found"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/check-redirections-existence/check-redirects.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 96614, "scanner": "repobility-threat-engine", "fingerprint": "b3c205e1a3c0833db078778963901bc8c04033ee63b03c71ceb9d009cf83a4f9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.log(`- KAPA_API_TOKEN: <redacted> ? '\u2705 Set (' + token.length + ' chars)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|console.log - kapa_api_token: redacted set + token.length + chars"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/debug-kapa-auth.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 96613, "scanner": "repobility-threat-engine", "fingerprint": "fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "aggregated_count": 20}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 96612, "scanner": "repobility-threat-engine", "fingerprint": "b0cdfa41e6da96621f0329b60b6d6999c7eb5e5e8d39daf3637a710ab24508e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0cdfa41e6da96621f0329b60b6d6999c7eb5e5e8d39daf3637a710ab24508e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/debug-kapa-auth.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 96611, "scanner": "repobility-threat-engine", "fingerprint": "cddb80f8f56fa717d53f9c356f482c8a0d2624b650b6c3eb16efc65772d728f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cddb80f8f56fa717d53f9c356f482c8a0d2624b650b6c3eb16efc65772d728f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/all-urls-extractor/extract-urls.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 96610, "scanner": "repobility-threat-engine", "fingerprint": "8ec837a190a7145e45919e63012e58e054e32e1296a7ddfcda87bf60bd433156", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ec837a190a7145e45919e63012e58e054e32e1296a7ddfcda87bf60bd433156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/plugins/llms-generator-plugin.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96698, "scanner": "repobility-supply-chain", "fingerprint": "78bdc5a69d066cbcf9ac9e139daf758f1e9f9d7926d0a7143dde09caa4702a78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78bdc5a69d066cbcf9ac9e139daf758f1e9f9d7926d0a7143dde09caa4702a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-review.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96695, "scanner": "repobility-supply-chain", "fingerprint": "ff4c8da0e96342a54a90bd5d7ebb054bd3e9f8a0cb28b5b057ed25c8e37a4348", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff4c8da0e96342a54a90bd5d7ebb054bd3e9f8a0cb28b5b057ed25c8e37a4348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/credit-reward-automation.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96694, "scanner": "repobility-supply-chain", "fingerprint": "899012244cf4bf7a0a4870518d56b502f77c5a7b533f43271c26783fc24ffec2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|899012244cf4bf7a0a4870518d56b502f77c5a7b533f43271c26783fc24ffec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-style-review-enhanced.yml"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96693, "scanner": "repobility-supply-chain", "fingerprint": "8741cb05e3f3b661750037d2c07a1949df29b6c67707de2791909be187a4d2e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8741cb05e3f3b661750037d2c07a1949df29b6c67707de2791909be187a4d2e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-style-review-enhanced.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96692, "scanner": "repobility-supply-chain", "fingerprint": "cc1b1e4d4c33444bfb2ac87f0b846b401f1a9170f1aaf53e1f0bafaca04e8eea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc1b1e4d4c33444bfb2ac87f0b846b401f1a9170f1aaf53e1f0bafaca04e8eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-style-review-enhanced.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96691, "scanner": "repobility-supply-chain", "fingerprint": "3fa6e1ddd4cbf60a726dae08bcb15e8d50ddb57727494ae64ee4cfd0df260c3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fa6e1ddd4cbf60a726dae08bcb15e8d50ddb57727494ae64ee4cfd0df260c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-style-review-enhanced.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96690, "scanner": "repobility-supply-chain", "fingerprint": "8f4ecb942523554cee4a97cb43d85b96d6877073b8c2c242f21581876a920ecd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f4ecb942523554cee4a97cb43d85b96d6877073b8c2c242f21581876a920ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/inki-sync-root-refs.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96669, "scanner": "repobility-supply-chain", "fingerprint": "8b0dca9ef39b8ae5c9f61d7aeac206d285dd19a763265bc21d2ad28d6b13d994", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b0dca9ef39b8ae5c9f61d7aeac206d285dd19a763265bc21d2ad28d6b13d994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96668, "scanner": "repobility-supply-chain", "fingerprint": "3c85a645c6e426dbdfaa0f30d4ebebd9e6beac13ca0f8c7c9815667dfadf9f74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c85a645c6e426dbdfaa0f30d4ebebd9e6beac13ca0f8c7c9815667dfadf9f74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96667, "scanner": "repobility-supply-chain", "fingerprint": "d1d891e54b3c2907eb9720442115585030391cfcab16bddbdf2d4ad9b8315f53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1d891e54b3c2907eb9720442115585030391cfcab16bddbdf2d4ad9b8315f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96666, "scanner": "repobility-supply-chain", "fingerprint": "3c18204b1bb22aac4a01a675988fbb542969ae8f08418bccf675524f83aca796", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c18204b1bb22aac4a01a675988fbb542969ae8f08418bccf675524f83aca796"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-review-github.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96665, "scanner": "repobility-supply-chain", "fingerprint": "5f5eeaec3754f852e59003ef13a8f29d78c8767d2dd0f05d52ce9dc2c91064bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5eeaec3754f852e59003ef13a8f29d78c8767d2dd0f05d52ce9dc2c91064bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-review-github.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96664, "scanner": "repobility-supply-chain", "fingerprint": "ac925251d89e095f25e575bac4afb610be829845fa0db4eb095b87d87bec9584", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac925251d89e095f25e575bac4afb610be829845fa0db4eb095b87d87bec9584"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation-review-github.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96663, "scanner": "repobility-supply-chain", "fingerprint": "19c94f4383698dc575f8bb88368fe5c6c86bebeacd55b60d81ac67f03eafe5b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19c94f4383698dc575f8bb88368fe5c6c86bebeacd55b60d81ac67f03eafe5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-review.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96662, "scanner": "repobility-supply-chain", "fingerprint": "b1eae364b09b902babe39bb69d651ceea684a19d0f6c235ee8f0cbfbfc21003b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1eae364b09b902babe39bb69d651ceea684a19d0f6c235ee8f0cbfbfc21003b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-review.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96661, "scanner": "repobility-supply-chain", "fingerprint": "7526f5a96029d2bd564e091904d7c02c7434f9f3aaf5df051236b78c21b76b1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7526f5a96029d2bd564e091904d7c02c7434f9f3aaf5df051236b78c21b76b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-review.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96660, "scanner": "repobility-supply-chain", "fingerprint": "dba5174ff89f34f755b98b56940c1dcf9cf18799bf87d51ec96d798a9cc90b43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dba5174ff89f34f755b98b56940c1dcf9cf18799bf87d51ec96d798a9cc90b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mention-escalation.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `algolia/algoliasearch-crawler-github-actions` pinned to mutable ref `@v1.1.9`: `uses: algolia/algoliasearch-crawler-github-actions@v1.1.9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96659, "scanner": "repobility-supply-chain", "fingerprint": "f7a8345afda3571c58a454aa7e341de3fffef6f20bca27c2e7cec687b22c9cd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7a8345afda3571c58a454aa7e341de3fffef6f20bca27c2e7cec687b22c9cd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `chetan/invalidate-cloudfront-action` pinned to mutable ref `@v2`: `uses: chetan/invalidate-cloudfront-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96658, "scanner": "repobility-supply-chain", "fingerprint": "9c78fda073e1deb73e528de409d511b5948dafe48d574f8d8263da68666a10df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c78fda073e1deb73e528de409d511b5948dafe48d574f8d8263da68666a10df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `UnlyEd/github-action-await-vercel` pinned to mutable ref `@v1.2.14`: `uses: UnlyEd/github-action-await-vercel@v1.2.14` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96657, "scanner": "repobility-supply-chain", "fingerprint": "d9efa552d9aee010234c1ac12c70e216ecd6d4490cd417ea8358be9aa77000a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9efa552d9aee010234c1ac12c70e216ecd6d4490cd417ea8358be9aa77000a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `derrickmehaffy/vercel-preview-url` pinned to mutable ref `@main`: `uses: derrickmehaffy/vercel-preview-url@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96656, "scanner": "repobility-supply-chain", "fingerprint": "1dbb0a9a7d34558420c3c61b3bc4e884c07f31d95defcd239e0ab1c8e5be4167", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dbb0a9a7d34558420c3c61b3bc4e884c07f31d95defcd239e0ab1c8e5be4167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96655, "scanner": "repobility-supply-chain", "fingerprint": "fd263f09a74ee81cfcfec4cb7d5b2e4c8ddcdfc391817798c8ed4d2699e0e7ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd263f09a74ee81cfcfec4cb7d5b2e4c8ddcdfc391817798c8ed4d2699e0e7ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96654, "scanner": "repobility-supply-chain", "fingerprint": "7e81df5e48162136124599bb3620c4deb7653c13a21a9de96e562b691a7d547a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e81df5e48162136124599bb3620c4deb7653c13a21a9de96e562b691a7d547a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-production.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96653, "scanner": "repobility-supply-chain", "fingerprint": "07f4ba13bfe0207592dff3f36ba9df8d7ea9e08233d21a73552e66579bec70f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07f4ba13bfe0207592dff3f36ba9df8d7ea9e08233d21a73552e66579bec70f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-label-prs-by-contributor-type.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96652, "scanner": "repobility-supply-chain", "fingerprint": "6491706c09c46d21646f18416a34f58c1799b412d79c83c8fe3677d2622d3993", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6491706c09c46d21646f18416a34f58c1799b412d79c83c8fe3677d2622d3993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-label-prs-by-contributor-type.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96648, "scanner": "repobility-threat-engine", "fingerprint": "e3c2d911d798305133a03bfca459224cbf0186bf72f17d853977aac4198eff55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ctx.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3c2d911d798305133a03bfca459224cbf0186bf72f17d853977aac4198eff55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/static/js/firework.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96647, "scanner": "repobility-threat-engine", "fingerprint": "4f5b10d3c665594d24c42f8a50a3ab40bad10d77a9be102e8f9e5456def13634", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "particle.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f5b10d3c665594d24c42f8a50a3ab40bad10d77a9be102e8f9e5456def13634"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/static/js/ball.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96646, "scanner": "repobility-threat-engine", "fingerprint": "d9591989ad6e5a8b29a45eac06f5610877f33bb0b8bd61444d1fc33a2bc8e40c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9591989ad6e5a8b29a45eac06f5610877f33bb0b8bd61444d1fc33a2bc8e40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/theme/SearchBar/index.js"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 96635, "scanner": "repobility-threat-engine", "fingerprint": "d12e9f2832f8ebdc92e43649a04e4fe880f840faa810c66ec8a0370b1a9c621d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((param) => `${param}=${encodedPrompt}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d12e9f2832f8ebdc92e43649a04e4fe880f840faa810c66ec8a0370b1a9c621d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/AiToolbar/utils/docContext.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96621, "scanner": "repobility-threat-engine", "fingerprint": "edc6155fdc134bc911f31cf804636977adf7ebe88ac27740addb341fec503ca1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|edc6155fdc134bc911f31cf804636977adf7ebe88ac27740addb341fec503ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/theme/DocSidebarItem/Link/index.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96620, "scanner": "repobility-threat-engine", "fingerprint": "dc410679ca9e8d985ea96e7f625fdf256854d900de89986c9f5f7f8698f1a7d7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc410679ca9e8d985ea96e7f625fdf256854d900de89986c9f5f7f8698f1a7d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/src/components/AiToolbar/utils/docContext.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96619, "scanner": "repobility-threat-engine", "fingerprint": "1f7b40202ed0aa425f438c2908f73dddfe59904f400432726f99c94ff83e89c4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f7b40202ed0aa425f438c2908f73dddfe59904f400432726f99c94ff83e89c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/generate-llms.js"}, "region": {"startLine": 125}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 96606, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MEILISEARCH_SEARCH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MEILISEARCH_SEARCH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96702, "scanner": "repobility-supply-chain", "fingerprint": "e542a032a4cf3f7a74bee2646157231b616d95c6288e28ef64253b5d6e011161", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e542a032a4cf3f7a74bee2646157231b616d95c6288e28ef64253b5d6e011161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/meilisearch-scraper.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MEILISEARCH_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MEILISEARCH_HOST_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96701, "scanner": "repobility-supply-chain", "fingerprint": "6172c4f37fda95b4c10d7bf6a8af8994de766e5f046d221049db9721ec0e0611", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6172c4f37fda95b4c10d7bf6a8af8994de766e5f046d221049db9721ec0e0611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/meilisearch-scraper.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MEILISEARCH_MASTER_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MEILISEARCH_MASTER_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96700, "scanner": "repobility-supply-chain", "fingerprint": "549a2b4e11bd7796ab6675ccb97302d7615fc4577a43b7c79e03f978b89ff24b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|549a2b4e11bd7796ab6675ccb97302d7615fc4577a43b7c79e03f978b89ff24b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/meilisearch-scraper.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MEILISEARCH_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MEILISEARCH_HOST_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96699, "scanner": "repobility-supply-chain", "fingerprint": "46d7b32a3ca22a22881c1689e430fb64a657bd80c669bfc3e704f23528b23098", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46d7b32a3ca22a22881c1689e430fb64a657bd80c669bfc3e704f23528b23098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/meilisearch-scraper.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96697, "scanner": "repobility-supply-chain", "fingerprint": "44b0aa7cf30f3171403c277e1b9d29a7e2b00c354c752ffc7ae2f5608c0c558d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44b0aa7cf30f3171403c277e1b9d29a7e2b00c354c752ffc7ae2f5608c0c558d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/credit-reward-automation.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96696, "scanner": "repobility-supply-chain", "fingerprint": "782906ff08e90a4e28eae64d2bd52a0b57baf0a3be3b03a293d35380fed76b4b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|782906ff08e90a4e28eae64d2bd52a0b57baf0a3be3b03a293d35380fed76b4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/credit-reward-automation.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96689, "scanner": "repobility-supply-chain", "fingerprint": "b59f40268e115bedd249a8dc8d5bfb85f4c17792a6972d3e54b15c9e06fbfa1e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b59f40268e115bedd249a8dc8d5bfb85f4c17792a6972d3e54b15c9e06fbfa1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96688, "scanner": "repobility-supply-chain", "fingerprint": "0750e2c1f69a05b8e2a022eb17d42fc110c4d1f460a3300559f90f7147fdf638", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0750e2c1f69a05b8e2a022eb17d42fc110c4d1f460a3300559f90f7147fdf638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96687, "scanner": "repobility-supply-chain", "fingerprint": "0f94bde981c14083945ae561b2ad9a377aed2fa031768e7363c22f13a1318ce0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f94bde981c14083945ae561b2ad9a377aed2fa031768e7363c22f13a1318ce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96686, "scanner": "repobility-supply-chain", "fingerprint": "1ef7bf1072320c0e10242a8734ac91c6f7f17ffe8e1f9ff818d21aa3c076f3c3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ef7bf1072320c0e10242a8734ac91c6f7f17ffe8e1f9ff818d21aa3c076f3c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96685, "scanner": "repobility-supply-chain", "fingerprint": "5cc175f32a40a263eaa4d22ec1ec6c2db9944e2c56c0e81b3b7841c037fd0c3d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cc175f32a40a263eaa4d22ec1ec6c2db9944e2c56c0e81b3b7841c037fd0c3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96684, "scanner": "repobility-supply-chain", "fingerprint": "1dbc1350d03e1ecf88d7e1f5a278336c30981e3c0f5bfc99ce238756f96634b5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dbc1350d03e1ecf88d7e1f5a278336c30981e3c0f5bfc99ce238756f96634b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96683, "scanner": "repobility-supply-chain", "fingerprint": "d0daffd3a3c93bab933fd56b784066cb38dda9186792a2063862674ac8e919ce", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0daffd3a3c93bab933fd56b784066cb38dda9186792a2063862674ac8e919ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96682, "scanner": "repobility-supply-chain", "fingerprint": "eba85193698e6144cfb5857c2e90347a987c3ceefac0945d46784f29561fcec7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eba85193698e6144cfb5857c2e90347a987c3ceefac0945d46784f29561fcec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 96681, "scanner": "repobility-supply-chain", "fingerprint": "a7bf9baf2fba87a1321179bd290821ae8f2e6284ced14a3cf34391b495fcadb9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7bf9baf2fba87a1321179bd290821ae8f2e6284ced14a3cf34391b495fcadb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96680, "scanner": "repobility-supply-chain", "fingerprint": "8b8049426b15ce43f82acaaa53da5c5799b1ac5a7dc4f6e613a3a2920eb00b1f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b8049426b15ce43f82acaaa53da5c5799b1ac5a7dc4f6e613a3a2920eb00b1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 461}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96679, "scanner": "repobility-supply-chain", "fingerprint": "1ec6c3b579dfcc442f8c602dc8efa12763ecee16d0bb554a6711f36159e360d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ec6c3b579dfcc442f8c602dc8efa12763ecee16d0bb554a6711f36159e360d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96678, "scanner": "repobility-supply-chain", "fingerprint": "9a8130e533c4464bbf1221c822a5a69a5a4aa05d62a025cd063a3d1428a89c92", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a8130e533c4464bbf1221c822a5a69a5a4aa05d62a025cd063a3d1428a89c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96677, "scanner": "repobility-supply-chain", "fingerprint": "e94e70d0fd7f526f6f9e90c13971903032fed5de99ba37dc7c3dd6f2416890d1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e94e70d0fd7f526f6f9e90c13971903032fed5de99ba37dc7c3dd6f2416890d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96676, "scanner": "repobility-supply-chain", "fingerprint": "ba6a6af274490f546a1aa7a1a58fb0fb61aca5e6da70d805f9df0ca0cdcd0f1a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba6a6af274490f546a1aa7a1a58fb0fb61aca5e6da70d805f9df0ca0cdcd0f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96675, "scanner": "repobility-supply-chain", "fingerprint": "63de6281dff56f2242a740fd6ae6fdc32a5a62565bf5b7bc89fbe2a39a81558e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63de6281dff56f2242a740fd6ae6fdc32a5a62565bf5b7bc89fbe2a39a81558e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96674, "scanner": "repobility-supply-chain", "fingerprint": "28aca50f4039599d43460fd84e1bfe71dea4df36abc0bac5f23710b16aa7c68d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28aca50f4039599d43460fd84e1bfe71dea4df36abc0bac5f23710b16aa7c68d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96673, "scanner": "repobility-supply-chain", "fingerprint": "9ba8c9a8f1e3551ee91ae9563b33a146c5cafb420d10c914dc91beb481be741a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ba8c9a8f1e3551ee91ae9563b33a146c5cafb420d10c914dc91beb481be741a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96672, "scanner": "repobility-supply-chain", "fingerprint": "4b7824ffc7c267c7d16fe6387bd3bccfca60c319ff9a618ec7f2fec97916ed23", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b7824ffc7c267c7d16fe6387bd3bccfca60c319ff9a618ec7f2fec97916ed23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96671, "scanner": "repobility-supply-chain", "fingerprint": "475e82f4ba3ef45dbf64c0835b768d6cfcdede429dc19123d382bd5342890f23", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|475e82f4ba3ef45dbf64c0835b768d6cfcdede429dc19123d382bd5342890f23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SYNC_MAIN_TO_NEXT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SYNC_MAIN_TO_NEXT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96670, "scanner": "repobility-supply-chain", "fingerprint": "7a618df826bf3e86271528939cd00e1811cecad4ee6ff9788f825b779ee0e8eb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a618df826bf3e86271528939cd00e1811cecad4ee6ff9788f825b779ee0e8eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-content-to-next.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 96629, "scanner": "repobility-threat-engine", "fingerprint": "98dc11ba2571449355df31813bd2912e64a5dc032956a08d9c61e92f33775120", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98dc11ba2571449355df31813bd2912e64a5dc032956a08d9c61e92f33775120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/validate-open-with-translated-prompts.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 96628, "scanner": "repobility-threat-engine", "fingerprint": "9d77044aacc75c0254412ec631a7b1a93ce1b40a50ddae0cc20014baa4439a3d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d77044aacc75c0254412ec631a7b1a93ce1b40a50ddae0cc20014baa4439a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/remove-redirects-vercel-duplicates/compare-redirects-and-vercel.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 96627, "scanner": "repobility-threat-engine", "fingerprint": "0c4d8bf866971bfc3c2baa936e2a0d8b3f8de9be9e1f7ab8c8fb63b358fbccf8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c4d8bf866971bfc3c2baa936e2a0d8b3f8de9be9e1f7ab8c8fb63b358fbccf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/redirects-organizer/redirects-organizer.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 96626, "scanner": "repobility-threat-engine", "fingerprint": "4652d8ea2212aa8eafd93d3a7f9d1ac63bac74661edac7060348d25390566365", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4652d8ea2212aa8eafd93d3a7f9d1ac63bac74661edac7060348d25390566365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/docusaurus-vercel-converter/docusaurus-vercel-converter.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 96609, "scanner": "repobility-threat-engine", "fingerprint": "67000379ce176714a45662cb4cf84f0b1c5c6045ea78d2162f06303903a639be", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(configPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67000379ce176714a45662cb4cf84f0b1c5c6045ea78d2162f06303903a639be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/redirects-utilities/check-redirections-existence/check-redirects.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 96608, "scanner": "repobility-threat-engine", "fingerprint": "cd41910c0ca4b0546d3f3454bfc859628d876e895f69f8a110034b21b3a56f66", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd41910c0ca4b0546d3f3454bfc859628d876e895f69f8a110034b21b3a56f66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/scripts/generate-llms.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 96607, "scanner": "repobility-threat-engine", "fingerprint": "96946d656f239bc94904d70aa72d1a18f64cff3dea7c95bf3ea26699ade2b360", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96946d656f239bc94904d70aa72d1a18f64cff3dea7c95bf3ea26699ade2b360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docusaurus/plugins/llms-generator-plugin.js"}, "region": {"startLine": 12}}}]}]}]}