{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 151 more): Same pattern found in 151 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 151 more): Same pattern found in 151 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/245"}, "properties": {"repository": "withastro/astro", "repoUrl": "https://github.com/withastro/astro", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 22777, "scanner": "repobility-threat-engine", "fingerprint": "22f98b5bfaa39fb39b7b4b4459819023ad568632130751b090f446c3a03d6342", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22f98b5bfaa39fb39b7b4b4459819023ad568632130751b090f446c3a03d6342"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/core/dev/dev.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 22776, "scanner": "repobility-threat-engine", "fingerprint": "e257a272528e7f582bf03b368a393776047bb958c53ec7b81d085cbaf255ad06", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e257a272528e7f582bf03b368a393776047bb958c53ec7b81d085cbaf255ad06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/content/vite-plugin-content-assets.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 22773, "scanner": "repobility-threat-engine", "fingerprint": "ee318be60b40e047209ae10eaadc6369082ea26ecbff1fcf9ccbb65e20fc0c21", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|87|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/core/config/settings.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 22772, "scanner": "repobility-threat-engine", "fingerprint": "21f3763c52f320bbed0daf16721aadf68e1d5f8761962a3467ae493132a730ed", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|37|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/content/loaders/file.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 22771, "scanner": "repobility-threat-engine", "fingerprint": "aa4f9af38ee378046f2f35f302df4fc256a444d2a3a3ed48159eb151822ff0c7", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|39|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/language-tools/vscode/scripts/build-grammar.mjs"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22765, "scanner": "repobility-threat-engine", "fingerprint": "0ec7eadc72a352cefa2bb5f9b9880965333897c432dfaa0b70a25b77267e16b8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|150|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/transitions/router.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22764, "scanner": "repobility-threat-engine", "fingerprint": "28d26814dd709e778b465cb2f811f0439e4c12450cdf882d2d3df15e09d8f7b5", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = v", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|31|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/integrations/solid/src/client.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22763, "scanner": "repobility-threat-engine", "fingerprint": "dcbd72883f6c47e326e181b6fecb224c19cee689ec8844773822cf12fde06a28", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|62|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/integrations/react/src/client.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22775, "scanner": "repobility-threat-engine", "fingerprint": "f7b09ff4189e09e5f09127468f5989b145be69d5644d4f8e6683e181f93dd761", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(`Invalid value for --db-app-token; expected a string.`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.error invalid value for --db-app-token expected a string."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/db/src/core/cli/index.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22774, "scanner": "repobility-threat-engine", "fingerprint": "29ab876fbcd71066d3bb52c4132f87053116617c2659bda9e9476641b4d3c502", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error('Failed to load Prettier config.', e)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.error failed to load prettier config. e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/language-tools/language-server/src/languageServerPlugin.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 22770, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22769, "scanner": "repobility-threat-engine", "fingerprint": "e51de9e015c45d94bfdd8ca9dfe6ee2457c9b8b17d98b069357afcb2a069dd7b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|4|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/runtime/client/dev-toolbar/apps/utils/icons.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22768, "scanner": "repobility-threat-engine", "fingerprint": "832273d0295d2ca7df437721405f4e63f8bbdcc49acff28704a824402e56cd86", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|123|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/runtime/server/transition.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22767, "scanner": "repobility-threat-engine", "fingerprint": "35bbdb1b49b44c0ca38a62fbdf0ed0b75d3588d131ca7732c909de5ecb8e34ab", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|43|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/language-tools/vscode/src/client.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 22766, "scanner": "repobility-threat-engine", "fingerprint": "eeb1bfc73443431b138491f7e6aacb032cc23e7fdd7d695f2a3fc212f58ff65f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|eeb1bfc73443431b138491f7e6aacb032cc23e7fdd7d695f2a3fc212f58ff65f"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 151 more): Same pattern found in 151 additional files. Review if needed."}, "properties": {"repobilityId": 22762, "scanner": "repobility-threat-engine", "fingerprint": "226a2192f3c0ff8267df5e9619128a5cf069dcfe8ecf616081e2f3a3d3a68a26", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 151 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 151 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|226a2192f3c0ff8267df5e9619128a5cf069dcfe8ecf616081e2f3a3d3a68a26"}}}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 22778, "scanner": "repobility-threat-engine", "fingerprint": "11d354847c782d391e36246ace1e74dc01a69b21e29be2fb37dccf4d7b6a3bc6", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11d354847c782d391e36246ace1e74dc01a69b21e29be2fb37dccf4d7b6a3bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/astro/src/transitions/router.ts"}, "region": {"startLine": 443}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22761, "scanner": "repobility-threat-engine", "fingerprint": "cb7929b7366e300a1b7364c82d534506b4fc4caf9ca5de8d29b00d39a717a84c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb7929b7366e300a1b7364c82d534506b4fc4caf9ca5de8d29b00d39a717a84c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cmd/test.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22760, "scanner": "repobility-threat-engine", "fingerprint": "80cfc397637fdd773ced018cdddc7b5f05280ed0abfd557a7d8f6ee272d03a55", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80cfc397637fdd773ced018cdddc7b5f05280ed0abfd557a7d8f6ee272d03a55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cmd/prebuild.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22759, "scanner": "repobility-threat-engine", "fingerprint": "d3d777f43d195c469ea7e5aa1fa59de6ae53bf8ff09a4005a700018ebca866dd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3d777f43d195c469ea7e5aa1fa59de6ae53bf8ff09a4005a700018ebca866dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/index.js"}, "region": {"startLine": 64}}}]}]}]}