{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10` unpinned: `container/services image: ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10` witho"}, "fullDescription": {"text": "Replace with `ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`: `uses: peaceiris/actions-gh-pages@v4` resolv", "shortDescription": {"text": "[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`: `uses: peaceiris/actions-gh-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files "}, "fullDescription": {"text": "Replace with: `uses: peaceiris/actions-gh-pages@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `github.com/u-root/gobusybox/test/diamonddep/mod2` \u2014 points to a LOCAL path: `replace github.", "shortDescription": {"text": "[MINED128] go.mod replaces `github.com/u-root/gobusybox/test/diamonddep/mod2` \u2014 points to a LOCAL path: `replace github.com/u-root/gobusybox/test/diamonddep/mod2 => ../mod2` overrides the canonical dependency with a different source (points"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1124"}, "properties": {"repository": "u-root/u-root", "repoUrl": "https://github.com/u-root/u-root", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 111290, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111282, "scanner": "repobility-threat-engine", "fingerprint": "86cc706054fddaaedba9e62bdce906f6be43c86f2dc5079d6325211776d01bda", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|184|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kexec/kexec_linux.go"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111281, "scanner": "repobility-threat-engine", "fingerprint": "35891eec4da87825380e2fd2d4b89a73bb2159e7b17a342dae1b3da84e4525c6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|59|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/init/init_linux.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 111279, "scanner": "repobility-threat-engine", "fingerprint": "bdf9356b0d33f84f182920d55e7e7cb0c5925134f4eef22e1d9017d4e588dcf8", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(stdout, scanner.Text())\n\t\t\t\tc++\n\t\t\t\tif c == count {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdf9356b0d33f84f182920d55e7e7cb0c5925134f4eef22e1d9017d4e588dcf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/head/head.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 111278, "scanner": "repobility-threat-engine", "fingerprint": "146bb1db1fa7830bd38a9e7fb17b79f9417f59ba0dedf8b243c9f4ea69d0dd51", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(out, filepath.Dir(n))\n\t}\n\treturn nil\n}\n\nfunc main() {\n\tif err := run(os.Stdout, os.Args", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|146bb1db1fa7830bd38a9e7fb17b79f9417f59ba0dedf8b243c9f4ea69d0dd51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/dirname/dirname.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 111277, "scanner": "repobility-threat-engine", "fingerprint": "62af73da386724882cce118e55e079815fb56589e47d313c0255309ee401ff5c", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(stdout, rec)\n\t\t}\n\n\tdefault:\n\t\treturn errInvalidArgs\n\t}\n\n\treturn nil\n}\n\nfunc main() {\n\tf", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62af73da386724882cce118e55e079815fb56589e47d313c0255309ee401ff5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/cpio/cpio.go"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a52ff3c521bf17b8de47c91e7c8179d52c7469fd1c2bfe240b8835e0f1dd4773", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/bind/bind_plan9.go", "duplicate_line": 1, "correlation_key": "fp|a52ff3c521bf17b8de47c91e7c8179d52c7469fd1c2bfe240b8835e0f1dd4773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/unmount/unmount.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2cac2b8429081bc50d32a37b66a459125de445ba19271a54d21d1e9ca579cb6f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/timeout/sig_darwin.go", "duplicate_line": 1, "correlation_key": "fp|2cac2b8429081bc50d32a37b66a459125de445ba19271a54d21d1e9ca579cb6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/timeout/sig_freebsd.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac15d5d2fd8448ee1436543d98937781084b08fa37b617e1f05e3ce349e14b62", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/mknod/mknod_freebsd.go", "duplicate_line": 1, "correlation_key": "fp|ac15d5d2fd8448ee1436543d98937781084b08fa37b617e1f05e3ce349e14b62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/mknod/mknod_linux.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32e44236c83dc2d17de971cc2c0ccc2593704f11878772c257b4cecce63661dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/ls/ls_plan9.go", "duplicate_line": 1, "correlation_key": "fp|32e44236c83dc2d17de971cc2c0ccc2593704f11878772c257b4cecce63661dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/ls/ls_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f9e8072181a94375fd184a29a7894819668cdac02ac0b44f47937d51833c3bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_netbsd.go", "duplicate_line": 95, "correlation_key": "fp|3f9e8072181a94375fd184a29a7894819668cdac02ac0b44f47937d51833c3bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_openbsd.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a92b2adb015d8a1a1185e3e8151fb015e628a6bfe54e93a838e4c85cac68b59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_freebsd.go", "duplicate_line": 28, "correlation_key": "fp|8a92b2adb015d8a1a1185e3e8151fb015e628a6bfe54e93a838e4c85cac68b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_openbsd.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55ae7d5f06a4d2cb0f633a1b2a9190cb51e075b28df90429398646c4b94feedb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_darwin.go", "duplicate_line": 1, "correlation_key": "fp|55ae7d5f06a4d2cb0f633a1b2a9190cb51e075b28df90429398646c4b94feedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_openbsd.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "036da6be3fc1541f1376a867dada3d00253bc38c70c8972df13cdff21cf75864", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_freebsd.go", "duplicate_line": 96, "correlation_key": "fp|036da6be3fc1541f1376a867dada3d00253bc38c70c8972df13cdff21cf75864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_netbsd.go"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7a19bf5ddad5d05c601e9a45c06d2e76b61596fd36eee62c54af832f116c2db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_darwin.go", "duplicate_line": 1, "correlation_key": "fp|d7a19bf5ddad5d05c601e9a45c06d2e76b61596fd36eee62c54af832f116c2db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_netbsd.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2cfb508dce2e7e23a02b497bb7661118f35a7521c43ff6ae0b92b0827983a35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_darwin.go", "duplicate_line": 1, "correlation_key": "fp|e2cfb508dce2e7e23a02b497bb7661118f35a7521c43ff6ae0b92b0827983a35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_linux.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1b486a65168f82107c1e8229d86db27f671e0656767721607ce91ae06c01104", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/kill/list_darwin.go", "duplicate_line": 1, "correlation_key": "fp|d1b486a65168f82107c1e8229d86db27f671e0656767721607ce91ae06c01104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/kill/list_freebsd.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9aa5c167e44007b3b6fb26505503c08028c6acfdfec811de6417804216ebea38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/init/init_freebsd.go", "duplicate_line": 1, "correlation_key": "fp|9aa5c167e44007b3b6fb26505503c08028c6acfdfec811de6417804216ebea38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/init/init_plan9.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdfe10ea2b10f483f0b76efcf448c672f3153014779fd61fcd2db39efa2b7ab9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmds/core/gosh/completer.go", "duplicate_line": 66, "correlation_key": "fp|bdfe10ea2b10f483f0b76efcf448c672f3153014779fd61fcd2db39efa2b7ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/gosh/completer_liner.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111271, "scanner": "repobility-threat-engine", "fingerprint": "c12282112b5aa6699662c22ae87a5a5b01b07479cd20665f673c8938512bb55c", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = syscall.Getgroups(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c12282112b5aa6699662c22ae87a5a5b01b07479cd20665f673c8938512bb55c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/id/id.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111270, "scanner": "repobility-threat-engine", "fingerprint": "987767accf51ab00c21f12410b5f4db66afde25d1ccbbf41aa1791ecfc9f6dc5", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = flag.Bool(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|987767accf51ab00c21f12410b5f4db66afde25d1ccbbf41aa1791ecfc9f6dc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/cat/cat.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111269, "scanner": "repobility-threat-engine", "fingerprint": "3ad4739e98c212ced10f93d78b2a7c682c7f94c828546199e2f09bc5ef283f63", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = f.Parse(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ad4739e98c212ced10f93d78b2a7c682c7f94c828546199e2f09bc5ef283f63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/base64/base64.go"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111284, "scanner": "repobility-threat-engine", "fingerprint": "c78337f34667a8fa12393aab7eb351955030434d499b694b82007e11b14aa793", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c78337f34667a8fa12393aab7eb351955030434d499b694b82007e11b14aa793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/strings/strings.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111283, "scanner": "repobility-threat-engine", "fingerprint": "6f492cdce0773aea6c8901ef143e8e7ec62c3d5ae9cf7b59ab781460fcf377e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f492cdce0773aea6c8901ef143e8e7ec62c3d5ae9cf7b59ab781460fcf377e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/io/io.go"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC112", "level": "none", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 111280, "scanner": "repobility-threat-engine", "fingerprint": "e5db5a79ff092b4535d407b183891004aa87a121f3d4cd32ab0180bf9cf8b27c", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e5db5a79ff092b4535d407b183891004aa87a121f3d4cd32ab0180bf9cf8b27c"}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 111276, "scanner": "repobility-threat-engine", "fingerprint": "4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "aggregated_count": 7}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 111272, "scanner": "repobility-threat-engine", "fingerprint": "422906d687c51dd527ea90571b59cc39f23789ede1533fde067b80c32b027f0a", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|422906d687c51dd527ea90571b59cc39f23789ede1533fde067b80c32b027f0a"}}}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 111268, "scanner": "repobility-threat-engine", "fingerprint": "d74cd53c5f67bd4ea42eb783b039b27590da6f8e25da842f19c514e2e7868ebc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d74cd53c5f67bd4ea42eb783b039b27590da6f8e25da842f19c514e2e7868ebc"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 111264, "scanner": "repobility-threat-engine", "fingerprint": "a890d6fb1bc1e523e976286f68faf975d3d50e2c404ee601f0c8000eb642094b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a890d6fb1bc1e523e976286f68faf975d3d50e2c404ee601f0c8000eb642094b", "aggregated_count": 8}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111263, "scanner": "repobility-threat-engine", "fingerprint": "d1c5d3d0ccfda56d3c1894f8f51e32679e9e7e585ea84ea5b62cb818bf39c5fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1c5d3d0ccfda56d3c1894f8f51e32679e9e7e585ea84ea5b62cb818bf39c5fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/find/find.go"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111262, "scanner": "repobility-threat-engine", "fingerprint": "1dc00bf569ff6cac08083b4237cbc2b0185edf4c22fb8767c5b6a3a63870b48d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1dc00bf569ff6cac08083b4237cbc2b0185edf4c22fb8767c5b6a3a63870b48d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/dhclient/dhclient.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111261, "scanner": "repobility-threat-engine", "fingerprint": "393c608f3ca0edb1e043e15bc9dab51865ae378f9f634084be16b8a028429647", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|393c608f3ca0edb1e043e15bc9dab51865ae378f9f634084be16b8a028429647"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/boot/pxeboot/pxeboot_linux.go"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10` unpinned: `container/services image: ghcr.io/tinygo-org/tinygo-dev:sha-3869f76887feef6c444308e7e1531b7cac1bbd10` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 111332, "scanner": "repobility-supply-chain", "fingerprint": "6e4d242602aefdd01b93105ae2c397d879f2172639b299e810d61f2957e427b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e4d242602aefdd01b93105ae2c397d879f2172639b299e810d61f2957e427b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tinygo.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`: `uses: peaceiris/actions-gh-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111331, "scanner": "repobility-supply-chain", "fingerprint": "703034a007929904c1f57d2a62bd6885567193a44eca9ddf14f75b894f67aee6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|703034a007929904c1f57d2a62bd6885567193a44eca9ddf14f75b894f67aee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/homepage.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111330, "scanner": "repobility-supply-chain", "fingerprint": "e843d09b04e279e9869baedd2b9f4395ad09d080540952182106ecf8c7546f2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e843d09b04e279e9869baedd2b9f4395ad09d080540952182106ecf8c7546f2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/homepage.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111329, "scanner": "repobility-supply-chain", "fingerprint": "9654b75fc6687c4cda5400812b6839d1d7db0b72ec74ec5cbaeddd1a96af4e07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9654b75fc6687c4cda5400812b6839d1d7db0b72ec74ec5cbaeddd1a96af4e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/homepage.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v4`: `uses: codecov/codecov-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111328, "scanner": "repobility-supply-chain", "fingerprint": "f1cab2542d2e943bf67a5a8c9c9076d7353fbd710ff6a657043a2b72ca68502a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1cab2542d2e943bf67a5a8c9c9076d7353fbd710ff6a657043a2b72ca68502a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111327, "scanner": "repobility-supply-chain", "fingerprint": "b957d990544e6e454d8d5ab071a353e29a163336c0a99c038127e76c54195055", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b957d990544e6e454d8d5ab071a353e29a163336c0a99c038127e76c54195055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111326, "scanner": "repobility-supply-chain", "fingerprint": "75bd95a47d480f6a8dde492b5df52ad4e6f408b02ac621b3e4caae94b234dcc2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75bd95a47d480f6a8dde492b5df52ad4e6f408b02ac621b3e4caae94b234dcc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111325, "scanner": "repobility-supply-chain", "fingerprint": "a5b98ae7bb1a9a990621764a1c90f8b54940b726f4fe1e3c8d062fde54a69d53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5b98ae7bb1a9a990621764a1c90f8b54940b726f4fe1e3c8d062fde54a69d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cifuzz.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google/oss-fuzz/infra/cifuzz/actions/run_fuzzers` pinned to mutable ref `@master`: `uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111324, "scanner": "repobility-supply-chain", "fingerprint": "76a1638a7217ccbffb910b8c62de7dacd47727e2c71eca8ddb51e9cf27534972", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76a1638a7217ccbffb910b8c62de7dacd47727e2c71eca8ddb51e9cf27534972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cifuzz.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google/oss-fuzz/infra/cifuzz/actions/build_fuzzers` pinned to mutable ref `@master`: `uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111323, "scanner": "repobility-supply-chain", "fingerprint": "7c4a175ac621d542f3a9b780ba231a48d173a206d6ca3ca68857ffa6ed8403ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c4a175ac621d542f3a9b780ba231a48d173a206d6ca3ca68857ffa6ed8403ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cifuzz.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111322, "scanner": "repobility-supply-chain", "fingerprint": "3df204e95f535f97eb02c355764b1af9ae65f6e3edf2014fa0d21915fd65cf38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3df204e95f535f97eb02c355764b1af9ae65f6e3edf2014fa0d21915fd65cf38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-images.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111321, "scanner": "repobility-supply-chain", "fingerprint": "46d567fa18a150dd44f8137529be83c5319286fb8cef97221eb2a12f7259479c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46d567fa18a150dd44f8137529be83c5319286fb8cef97221eb2a12f7259479c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111320, "scanner": "repobility-supply-chain", "fingerprint": "887817855dbcd5fca8bc40aebdb502c0b6b2121075713b6f9714b3837f9069bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|887817855dbcd5fca8bc40aebdb502c0b6b2121075713b6f9714b3837f9069bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111319, "scanner": "repobility-supply-chain", "fingerprint": "70066bcb847b23b4f43eaebe14efe660b6a03986fbaffa4f0d23c75cf852d951", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70066bcb847b23b4f43eaebe14efe660b6a03986fbaffa4f0d23c75cf852d951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111318, "scanner": "repobility-supply-chain", "fingerprint": "1f791de57bdda5ca60f4385affad4e144c5c54fd292d2e30f6f78a35e4cae1cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f791de57bdda5ca60f4385affad4e144c5c54fd292d2e30f6f78a35e4cae1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111317, "scanner": "repobility-supply-chain", "fingerprint": "dc6420746f17383383306e2901050373114f41a96a5c0a90923805c9fc840273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc6420746f17383383306e2901050373114f41a96a5c0a90923805c9fc840273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111316, "scanner": "repobility-supply-chain", "fingerprint": "20d301c85a3ca844496d52c1d633841f0734343da329d2365aece62945b58b63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20d301c85a3ca844496d52c1d633841f0734343da329d2365aece62945b58b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111315, "scanner": "repobility-supply-chain", "fingerprint": "8b978ef889c4896536a9bc8c3dcbebf4e76122015e20f762a077bc75dee22099", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b978ef889c4896536a9bc8c3dcbebf4e76122015e20f762a077bc75dee22099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111314, "scanner": "repobility-supply-chain", "fingerprint": "41a8efd1170242167feae936fa5b07588c6dcd3e7a59b4a683bd3c41090afa23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41a8efd1170242167feae936fa5b07588c6dcd3e7a59b4a683bd3c41090afa23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111313, "scanner": "repobility-supply-chain", "fingerprint": "8a922a03499a8ca3832e0e7457e0f3bad3a9fbcfbfd829f144474539a56a48c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a922a03499a8ca3832e0e7457e0f3bad3a9fbcfbfd829f144474539a56a48c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v3`: `uses: github/codeql-action/autobuild@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111312, "scanner": "repobility-supply-chain", "fingerprint": "2f9cf7ae0339adf819456276f517e78c1f9b80d62709ba18f7c2c5c29cf65c52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f9cf7ae0339adf819456276f517e78c1f9b80d62709ba18f7c2c5c29cf65c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111311, "scanner": "repobility-supply-chain", "fingerprint": "58979b82747df0a47d8418f3e8aeb6d2e4ba2bf52eea446e4b7062ffdfd717a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58979b82747df0a47d8418f3e8aeb6d2e4ba2bf52eea446e4b7062ffdfd717a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111310, "scanner": "repobility-supply-chain", "fingerprint": "66793e1cbb4bbb9de56ce19839cbe3627cce337d83897815251dfdc6fb140a43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66793e1cbb4bbb9de56ce19839cbe3627cce337d83897815251dfdc6fb140a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v7`: `uses: golangci/golangci-lint-action@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111309, "scanner": "repobility-supply-chain", "fingerprint": "bc68b9916c0772728dcf0e693e7b476609dc0e30ef86871e7e8f1a9feb1781d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc68b9916c0772728dcf0e693e7b476609dc0e30ef86871e7e8f1a9feb1781d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golangci-lint.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111308, "scanner": "repobility-supply-chain", "fingerprint": "807c28ec93a40172659d4cb0b476c6dc2f70996f0e70327c1bdcf493a69bf8eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|807c28ec93a40172659d4cb0b476c6dc2f70996f0e70327c1bdcf493a69bf8eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golangci-lint.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 111307, "scanner": "repobility-supply-chain", "fingerprint": "dddd37c4fcb33a99ace075602b843100455b8fb8264e3798f477c7dbc87edc96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dddd37c4fcb33a99ace075602b843100455b8fb8264e3798f477c7dbc87edc96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golangci-lint.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/u-root/gobusybox/test/diamonddep/mod2` \u2014 points to a LOCAL path: `replace github.com/u-root/gobusybox/test/diamonddep/mod2 => ../mod2` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111306, "scanner": "repobility-supply-chain", "fingerprint": "f0d2d5c2ede5c8104a55f995b20deca4db2616320e40f96c6702eba5d60192f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0d2d5c2ede5c8104a55f995b20deca4db2616320e40f96c6702eba5d60192f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/exp/cmd2pkg/test/diamonddep/mod1/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/u-root/gobusybox/test/diamonddep/mod1` \u2014 points to a LOCAL path: `replace github.com/u-root/gobusybox/test/diamonddep/mod1 => ../mod1` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111305, "scanner": "repobility-supply-chain", "fingerprint": "3a2556c7b7525488bb4bd9771d378e85ef1c7f26562c5d846a5df42321c4033a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a2556c7b7525488bb4bd9771d378e85ef1c7f26562c5d846a5df42321c4033a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/exp/cmd2pkg/test/diamonddep/mod2/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/u-root/gobusybox/test/normaldeps/mod2/v2` \u2014 points to a LOCAL path: `replace github.com/u-root/gobusybox/test/normaldeps/mod2/v2 => ../mod2` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111304, "scanner": "repobility-supply-chain", "fingerprint": "51d9d36d530ee49a8c6ff6443b1fcaf18c05c5e22ed2805e7ccde4f689bf66ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51d9d36d530ee49a8c6ff6443b1fcaf18c05c5e22ed2805e7ccde4f689bf66ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/exp/cmd2pkg/test/normaldeps/mod1/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111289, "scanner": "repobility-threat-engine", "fingerprint": "f24f3dea79e779609629866d81e157019e8d499fbf717a1298f14d4a0ce926af", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f24f3dea79e779609629866d81e157019e8d499fbf717a1298f14d4a0ce926af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/netcat/connect.go"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 111288, "scanner": "repobility-threat-engine", "fingerprint": "01d5c48dd7063b7cde13662579503f13b58a31962ed359c5771cb76f0dd07ad3", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ssh.InsecureIgnoreHostKey(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|41|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/mount9p/mount9p.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 111287, "scanner": "repobility-threat-engine", "fingerprint": "f5c0d0e7081a71dc328fbc8fb82cc614981b18550a25b6e0cbffb5dd63726330", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5c0d0e7081a71dc328fbc8fb82cc614981b18550a25b6e0cbffb5dd63726330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/shasum/shasum.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 111286, "scanner": "repobility-threat-engine", "fingerprint": "973374368d7b109ab40a40f837eae56daadb99b197b7343243fa307a0d16de48", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|973374368d7b109ab40a40f837eae56daadb99b197b7343243fa307a0d16de48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/md5sum/md5sum.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 111285, "scanner": "repobility-threat-engine", "fingerprint": "111caae920093ff06072f8a3dfda778073195dc252b4cc4923ff203454ea804e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|111caae920093ff06072f8a3dfda778073195dc252b4cc4923ff203454ea804e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/ip/ip_linux.go"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111275, "scanner": "repobility-threat-engine", "fingerprint": "d38a070415b1a65d8263747a8d5ff3d04defdab6cbe60fb0981e0d0b11c9eb86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d38a070415b1a65d8263747a8d5ff3d04defdab6cbe60fb0981e0d0b11c9eb86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/echo/echo.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111274, "scanner": "repobility-threat-engine", "fingerprint": "eda812abee9cb02f3e01d7c7d3a6c962979925cc2156e3a4d3cc79d14a67a13a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eda812abee9cb02f3e01d7c7d3a6c962979925cc2156e3a4d3cc79d14a67a13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/dmesg/dmesg_linux.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111273, "scanner": "repobility-threat-engine", "fingerprint": "f3c7542a3e70baf3839695911cc62d7bb5eaad0bd2245f120c233592885bb3ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3c7542a3e70baf3839695911cc62d7bb5eaad0bd2245f120c233592885bb3ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/basename/basename.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 111267, "scanner": "repobility-threat-engine", "fingerprint": "ec4b6eeb2b6ffce45fe242fb5d246763e368d89138d09412834273d38452029c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec4b6eeb2b6ffce45fe242fb5d246763e368d89138d09412834273d38452029c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/service/service.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 111266, "scanner": "repobility-threat-engine", "fingerprint": "40a8904081298ab7850762ebd53f94e588ff365e3515473e2321ff303df5e07c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(cmdName,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40a8904081298ab7850762ebd53f94e588ff365e3515473e2321ff303df5e07c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/nohup/nohup.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 111265, "scanner": "repobility-threat-engine", "fingerprint": "6403ae9afaab44ac11bcc5e9ed153487e6b253ace6d297869c0cc2203a50b3b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(c,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6403ae9afaab44ac11bcc5e9ed153487e6b253ace6d297869c0cc2203a50b3b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmds/core/backoff/backoff.go"}, "region": {"startLine": 58}}}]}]}]}