{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `haliax` has no version pin: Unpinned pip requirement means every fresh install may resolve", "shortDescription": {"text": "[MINED124] requirements.txt: `haliax` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible instal"}, "fullDescription": {"text": "Replace `haliax` with `haliax==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `run_with_timeout_signal` (dict): `def run_with_timeout_signal(... = []/{}/set())", "shortDescription": {"text": "[MINED109] Mutable default argument in `run_with_timeout_signal` (dict): `def run_with_timeout_signal(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in o"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def run_with_timeout_signal(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_run` has cognitive complexity 21 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_run` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 21."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ghcr.io/marin-community/iris-task:latest` not pinned by digest: `FROM ghcr.io/marin-communit", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ghcr.io/marin-community/iris-task:latest` not pinned by digest: `FROM ghcr.io/marin-community/iris-task:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so ever"}, "fullDescription": {"text": "Replace with: `FROM ghcr.io/marin-community/iris-task:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `google-github-actions/setup-gcloud` pinned to mutable ref `@v2`: `uses: google-github-actions/setup-g", "shortDescription": {"text": "[MINED115] Action `google-github-actions/setup-gcloud` pinned to mutable ref `@v2`: `uses: google-github-actions/setup-gcloud@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-action"}, "fullDescription": {"text": "Replace with: `uses: google-github-actions/setup-gcloud@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /v1/tokens has no auth: Handler `fetch_tokens` is registered with router/app.post(...) but no De", "shortDescription": {"text": "[MINED112] FastAPI POST /v1/tokens has no auth: Handler `fetch_tokens` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `requests.extend` inside async function `_fetch_until_requests`: `requests.extend` is a synchro", "shortDescription": {"text": "[MINED110] Blocking call `requests.extend` inside async function `_fetch_until_requests`: `requests.extend` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in t"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `_handle_completions` of class `_Deterministi", "shortDescription": {"text": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._stub_server`, but no assignment to it exists in __init__ (and no class-level fallback). Thi"}, "fullDescription": {"text": "Initialize `self._stub_server = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_slice_cache_too_small: Test function `test_slice_cache_too_small` runs code but c", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_slice_cache_too_small: Test function `test_slice_cache_too_small` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anyth"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.WANDB_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.WANDB_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WANDB_API_KEY }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. T", "shortDescription": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import stat` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1262"}, "properties": {"repository": "marin-community/marin", "repoUrl": "https://github.com/marin-community/marin", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `haliax` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128244, "scanner": "repobility-supply-chain", "fingerprint": "3bd92cf0782b63d359bd4726e187ea6887274f2fc545a3bbc4257496a76f262b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bd92cf0782b63d359bd4726e187ea6887274f2fc545a3bbc4257496a76f262b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-macros-plugin` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128243, "scanner": "repobility-supply-chain", "fingerprint": "b4f6e06d39f75643ad9d6fd3877ccd9425d0a112d005c719a4c4eb824707e817", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4f6e06d39f75643ad9d6fd3877ccd9425d0a112d005c719a4c4eb824707e817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-literate-nav` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128242, "scanner": "repobility-supply-chain", "fingerprint": "fccd7d4c661a1000abd28847be7e05d3e1b22c54d4964362ddfe2f6a1bf6a5c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fccd7d4c661a1000abd28847be7e05d3e1b22c54d4964362ddfe2f6a1bf6a5c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-include-markdown-plugin` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128241, "scanner": "repobility-supply-chain", "fingerprint": "472c8c8cf2889c9430c5f6cd605c6f32ee0aaf0b0e24ce64dbb8730437554b3d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|472c8c8cf2889c9430c5f6cd605c6f32ee0aaf0b0e24ce64dbb8730437554b3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-autorefs` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128240, "scanner": "repobility-supply-chain", "fingerprint": "b0d6d5b6bf2477a5ae0a11a171d11330ae2ca1788c041d81eff5b4458e31a7d4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0d6d5b6bf2477a5ae0a11a171d11330ae2ca1788c041d81eff5b4458e31a7d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-material-extensions` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128239, "scanner": "repobility-supply-chain", "fingerprint": "91f5b5d76f5f282ae3b62d1c466e0314e2e6f0d69844ec57e8d0c1548c0eeae8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91f5b5d76f5f282ae3b62d1c466e0314e2e6f0d69844ec57e8d0c1548c0eeae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs-material` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128238, "scanner": "repobility-supply-chain", "fingerprint": "5d7fd258363e3134039c8f4a8eeddc33073a0a5f4d950dfff36c3b0a0958cf63", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d7fd258363e3134039c8f4a8eeddc33073a0a5f4d950dfff36c3b0a0958cf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocstrings-python` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128237, "scanner": "repobility-supply-chain", "fingerprint": "ad1213ff73916da2116058690a36737f630edade231679cf3b22b939ebab76c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad1213ff73916da2116058690a36737f630edade231679cf3b22b939ebab76c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocstrings` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128236, "scanner": "repobility-supply-chain", "fingerprint": "e2bb7b9be807747f815205371109b20dbdc268ae7c057146b002cd39ad7c8f10", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2bb7b9be807747f815205371109b20dbdc268ae7c057146b002cd39ad7c8f10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mkdocs` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 128235, "scanner": "repobility-supply-chain", "fingerprint": "331cfb775de710af2feb875fbff5fd0a331fc028fd2c26b86ff340c6a453d470", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|331cfb775de710af2feb875fbff5fd0a331fc028fd2c26b86ff340c6a453d470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_with_timeout_signal` (dict): `def run_with_timeout_signal(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 128213, "scanner": "repobility-ast-engine", "fingerprint": "5c85732636d0b24c2e10d6e1222ae398417f911b2b944263de34bb81500aacb2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c85732636d0b24c2e10d6e1222ae398417f911b2b944263de34bb81500aacb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/marin/src/marin/rl/environments/tinker_environments/math_grading.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 128212, "scanner": "repobility-ast-engine", "fingerprint": "c1bad9e2f1dd0ede55a5ece4f6911ab252f1bfbbdef64bdbcc4b3cb49f63a93e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1bad9e2f1dd0ede55a5ece4f6911ab252f1bfbbdef64bdbcc4b3cb49f63a93e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/marin/src/marin/rl/environments/prime_intellect_env.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128188, "scanner": "repobility-ast-engine", "fingerprint": "33f9fc7f978b29b36a1881dbddb4bfba6dcc162c36d7e8bd41b8484d6ae7dd65", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33f9fc7f978b29b36a1881dbddb4bfba6dcc162c36d7e8bd41b8484d6ae7dd65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/processing/classification/deduplication/resources/parser_variants/_utils.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128187, "scanner": "repobility-ast-engine", "fingerprint": "adb5472064994e1a64cd88b604db2cfed2932e3f904f1e5ffce7f86d39cfde28", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|adb5472064994e1a64cd88b604db2cfed2932e3f904f1e5ffce7f86d39cfde28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/processing/classification/deduplication/resources/parser_variants/_utils.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128162, "scanner": "repobility-ast-engine", "fingerprint": "2e6ed07e26f338a4fdd1f88e7cf1aa0e1057f69c583362d9a311e1f796ffc254", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e6ed07e26f338a4fdd1f88e7cf1aa0e1057f69c583362d9a311e1f796ffc254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/rl/test_inference_ctx.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128158, "scanner": "repobility-ast-engine", "fingerprint": "f642fa60d077fdfb2c48495973bb6d935a8f20402a3a1a486bf1f6661a36755a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f642fa60d077fdfb2c48495973bb6d935a8f20402a3a1a486bf1f6661a36755a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_marin_tokenizer.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128156, "scanner": "repobility-ast-engine", "fingerprint": "ae9c74893990b856a53d17c58bdf57427fd0439472a9197b906e6d402e109470", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae9c74893990b856a53d17c58bdf57427fd0439472a9197b906e6d402e109470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_marin_chat_template.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128154, "scanner": "repobility-ast-engine", "fingerprint": "6783c8f2c517749132da4ed8c57a36218f81854aa10e032f6f49a8179ea98814", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6783c8f2c517749132da4ed8c57a36218f81854aa10e032f6f49a8179ea98814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_data_configs.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128153, "scanner": "repobility-ast-engine", "fingerprint": "85cb1335e0a823f792ed37bf9e5a7db85f2b4368e758ad055b608b496afa72ef", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85cb1335e0a823f792ed37bf9e5a7db85f2b4368e758ad055b608b496afa72ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_data_configs.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128152, "scanner": "repobility-ast-engine", "fingerprint": "b30c6ecefd9360e2be9c36b8f3a7dba0bf3fd1d0cf27a300f2e6ff3161a7546d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b30c6ecefd9360e2be9c36b8f3a7dba0bf3fd1d0cf27a300f2e6ff3161a7546d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_data_configs.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128146, "scanner": "repobility-ast-engine", "fingerprint": "55838b98984e35847ff92ad46c47bd39c7f3fd09b08e1bb01ba3f2e94ed2a9d6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55838b98984e35847ff92ad46c47bd39c7f3fd09b08e1bb01ba3f2e94ed2a9d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_download_pretokenized.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128145, "scanner": "repobility-ast-engine", "fingerprint": "fce4249e26c92362afa283008830235bc3da41795992e5a9cb43877ffccf4032", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fce4249e26c92362afa283008830235bc3da41795992e5a9cb43877ffccf4032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_download_pretokenized.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128125, "scanner": "repobility-ast-engine", "fingerprint": "eb3a28acd1fc8a890dfcda6506ab57c53d62eae9dc104baf50f264d31da6dc86", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb3a28acd1fc8a890dfcda6506ab57c53d62eae9dc104baf50f264d31da6dc86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/github_wandb_metrics.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128124, "scanner": "repobility-ast-engine", "fingerprint": "823360279404d44ef86b69758072ce4d3643e0c9236ec7f83a7f2094dd0549d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|823360279404d44ef86b69758072ce4d3643e0c9236ec7f83a7f2094dd0549d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/github_wandb_metrics.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128123, "scanner": "repobility-ast-engine", "fingerprint": "ab8a6efc01ec758c444638904eada0967eeef3f28760b56c12f35ec62f776fbd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab8a6efc01ec758c444638904eada0967eeef3f28760b56c12f35ec62f776fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128122, "scanner": "repobility-ast-engine", "fingerprint": "5942be88d7da0741a6dc06190a624b485fd527032676dd8eee2909a08a5a5de9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5942be88d7da0741a6dc06190a624b485fd527032676dd8eee2909a08a5a5de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 1241}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128121, "scanner": "repobility-ast-engine", "fingerprint": "5d36ad2903d69db9d827e00fcd7fef78efdf5d0fc231b960b9fcff070a2c5a65", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d36ad2903d69db9d827e00fcd7fef78efdf5d0fc231b960b9fcff070a2c5a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 428}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128120, "scanner": "repobility-ast-engine", "fingerprint": "b4ef2f0302349d19b6835ac5551c04ebd8f19f557a901adb505e5a9740e1fb89", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4ef2f0302349d19b6835ac5551c04ebd8f19f557a901adb505e5a9740e1fb89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 696}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128119, "scanner": "repobility-ast-engine", "fingerprint": "0f0c823b190d6787fcf8f090307ef3440069e24c7a19a034c1e3a733ca0aac0f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f0c823b190d6787fcf8f090307ef3440069e24c7a19a034c1e3a733ca0aac0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 662}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128118, "scanner": "repobility-ast-engine", "fingerprint": "1b1abbbd8ccf0f9fbfb8f66eed571b69917616dd621c62f90c0a5c292dcc0b11", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b1abbbd8ccf0f9fbfb8f66eed571b69917616dd621c62f90c0a5c292dcc0b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 584}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128117, "scanner": "repobility-ast-engine", "fingerprint": "29c41e5fe07c3281ea302ac69888863dbc1830e839fc022e60394f02e8720534", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29c41e5fe07c3281ea302ac69888863dbc1830e839fc022e60394f02e8720534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 537}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128116, "scanner": "repobility-ast-engine", "fingerprint": "7cf99d9697b8d3689c7baf94752a068a7d17af9ddaccf53d2ecba57d29be06a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7cf99d9697b8d3689c7baf94752a068a7d17af9ddaccf53d2ecba57d29be06a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 457}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128115, "scanner": "repobility-ast-engine", "fingerprint": "fd8641cbb185e8d747042eccc553e2802163e3ccef22a700c135ac17e48fb6a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd8641cbb185e8d747042eccc553e2802163e3ccef22a700c135ac17e48fb6a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 393}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128114, "scanner": "repobility-ast-engine", "fingerprint": "3175079b2bb86d2aa9b25211ae1c8d585559525046858afef6ad92f823d96e2a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3175079b2bb86d2aa9b25211ae1c8d585559525046858afef6ad92f823d96e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 971}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128113, "scanner": "repobility-ast-engine", "fingerprint": "81ac6341a19b216e5f8b1cac54955b291bac97788318a0ed465a4794400b9c98", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81ac6341a19b216e5f8b1cac54955b291bac97788318a0ed465a4794400b9c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 957}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128112, "scanner": "repobility-ast-engine", "fingerprint": "43e35a453b1534d32ae29e8c8fa21ca42dc19f099e9d2c5acbe31ff4834e7e54", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43e35a453b1534d32ae29e8c8fa21ca42dc19f099e9d2c5acbe31ff4834e7e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 949}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128111, "scanner": "repobility-ast-engine", "fingerprint": "111d003171fb4d427a34215c1a144407000db51202badb3ae324ecd441c3325d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|111d003171fb4d427a34215c1a144407000db51202badb3ae324ecd441c3325d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 935}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 128110, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128109, "scanner": "repobility-journey-contract", "fingerprint": "305d8f697ef2568e2d46e08a4029e121b9c97f52a621380c73e2773b2782c530", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1449|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/app.js"}, "region": {"startLine": 1449}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128108, "scanner": "repobility-journey-contract", "fingerprint": "1b888b93047bf22b42e352722190417d729d4cd6a4d872a78ebc887b41c4f9a7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1389|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/app.js"}, "region": {"startLine": 1389}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128107, "scanner": "repobility-journey-contract", "fingerprint": "3133345a68c7265a1717988a3d7fdae5c32c494bbf992f3d8e9fecab6da3f6dc", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|6|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/app.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 128106, "scanner": "repobility-journey-contract", "fingerprint": "85bd4bef35785c7ffa68a2521c8e1580b924de667cdae6c9de38a1e1f24d963e", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/api.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 128105, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128104, "scanner": "repobility-docker", "fingerprint": "854d42a8a02063a523d2ecb3837bb7bc2f73c377ff8ccd6dd3d6c5e02dedb278", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${IMAGE}:${TAG}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|854d42a8a02063a523d2ecb3837bb7bc2f73c377ff8ccd6dd3d6c5e02dedb278"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.incremental"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128098, "scanner": "repobility-docker", "fingerprint": "1774656881c765ab3770e5e49112a180048bcecc4d806c468296e19ae54523e6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1774656881c765ab3770e5e49112a180048bcecc4d806c468296e19ae54523e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128092, "scanner": "repobility-docker", "fingerprint": "64ce98be489bd20a877fdb034465055afb2f3f48f9e2aedec257acfc4feaa94b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|64ce98be489bd20a877fdb034465055afb2f3f48f9e2aedec257acfc4feaa94b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 156}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128088, "scanner": "repobility-docker", "fingerprint": "85bda4ab53c9406f3708204107a7182eb1b83ef35a002b67790bb777319c5f1e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|85bda4ab53c9406f3708204107a7182eb1b83ef35a002b67790bb777319c5f1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/status-page/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128087, "scanner": "repobility-docker", "fingerprint": "36ce19a6cf01559576745edd97fd5bdd40e5d098119f51401e939970907553e6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|36ce19a6cf01559576745edd97fd5bdd40e5d098119f51401e939970907553e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/iris-iap-proxy/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 128086, "scanner": "repobility-docker", "fingerprint": "c9854a77f881632cfc5dc59a29cb3f05c316da91e73c48f1c63909b61e062eb5", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c9854a77f881632cfc5dc59a29cb3f05c316da91e73c48f1c63909b61e062eb5", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/iris-iap-proxy/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128085, "scanner": "repobility-docker", "fingerprint": "35a5b5e13bc945ac937a9e843f6a55909c08fa4ad01c61167e39ff79e1308ead", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/marin-community/iris-task:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|35a5b5e13bc945ac937a9e843f6a55909c08fa4ad01c61167e39ff79e1308ead"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 128084, "scanner": "repobility-docker", "fingerprint": "4dc97c3ac80ad04841ee9efb0b9232eaf220a0e491fa4137a0f5acbe5682ccef", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/marin-community/iris-task:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4dc97c3ac80ad04841ee9efb0b9232eaf220a0e491fa4137a0f5acbe5682ccef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128083, "scanner": "repobility-docker", "fingerprint": "fc78622eefa1c3b4aa8066f2237abf8b088794b13204c8d56869a263a538eef0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "rayproject/ray:2.53.0-py311-cpu", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fc78622eefa1c3b4aa8066f2237abf8b088794b13204c8d56869a263a538eef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 128075, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "pr_reviews.db", "size_mb": 29.1}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 128074, "scanner": "repobility-agent-runtime", "fingerprint": "96b578b154564ec6707b26977f05eb8d95b91ac80e318286faacdbd820128b50", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|96b578b154564ec6707b26977f05eb8d95b91ac80e318286faacdbd820128b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/fray/src/fray/iris_backend.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 128073, "scanner": "repobility-agent-runtime", "fingerprint": "fce2a192912c8bf83e32af85fd90de8c52914614cbd14f2969df529260c41d69", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|fce2a192912c8bf83e32af85fd90de8c52914614cbd14f2969df529260c41d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/dashboard/src/components/layout/AppHeader.vue"}, "region": {"startLine": 14}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 128072, "scanner": "repobility-agent-runtime", "fingerprint": "af4bf02cc5c42637f39b6af6d9e0eb89121c1ea696fe185226bec000bfe1cb1e", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|af4bf02cc5c42637f39b6af6d9e0eb89121c1ea696fe185226bec000bfe1cb1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/pre-commit.py"}, "region": {"startLine": 624}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 128032, "scanner": "repobility-threat-engine", "fingerprint": "bc48871da3c5f42e49c7eb9247a8fda987eac7834fac531b58a475cf12a185ae", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|139|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/src/query/udf.rs"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 128021, "scanner": "repobility-threat-engine", "fingerprint": "d063b40f0950461b5b36e177b234459448523e845ddb2be23e0d82d308627a1e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        art = wandb.use_artifact(artifact_name)\n        table = art.get(log_key)\n        return", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d063b40f0950461b5b36e177b234459448523e845ddb2be23e0d82d308627a1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/codehealth/log_stats.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 128017, "scanner": "repobility-threat-engine", "fingerprint": "322d4e945de6d7e2d1941f05154debfc8ade99e78ae6763f56815de231ace6be", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|322d4e945de6d7e2d1941f05154debfc8ade99e78ae6763f56815de231ace6be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/codehealth/log_stats.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 128016, "scanner": "repobility-threat-engine", "fingerprint": "85bdf421f6bdab09e1b45622f30f4c0abee6f3a3afb6f9d8632140d08ba735d9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85bdf421f6bdab09e1b45622f30f4c0abee6f3a3afb6f9d8632140d08ba735d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/tracer.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_run` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=3, continue=1, else=1, for=3, if=7, nested_bonus=6."}, "properties": {"repobilityId": 127977, "scanner": "repobility-threat-engine", "fingerprint": "da00ce042b347255d2f989deb11aca09a4d4a6649beac6084b1a60eec0d5300a", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_run", "breakdown": {"if": 7, "and": 3, "for": 3, "else": 1, "continue": 1, "nested_bonus": 6}, "complexity": 21, "correlation_key": "fp|da00ce042b347255d2f989deb11aca09a4d4a6649beac6084b1a60eec0d5300a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/ops/coherence_eval.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128102, "scanner": "repobility-docker", "fingerprint": "046b643ac583dcbed4631ab15920f787b170a6840630a6c4f00d8c1462c7dedc", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|046b643ac583dcbed4631ab15920f787b170a6840630a6c4f00d8c1462c7dedc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.cluster"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128101, "scanner": "repobility-docker", "fingerprint": "9665a24f0dfe4fc8686b0c73fa21548803ad1a83265bc062b450811b612f1989", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9665a24f0dfe4fc8686b0c73fa21548803ad1a83265bc062b450811b612f1989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.cluster"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 128100, "scanner": "repobility-docker", "fingerprint": "087139eba70ec30540685d4d3b07ce62a624ff805ba62ad8b8b5229fbc847a4f", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|087139eba70ec30540685d4d3b07ce62a624ff805ba62ad8b8b5229fbc847a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.cluster"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128097, "scanner": "repobility-docker", "fingerprint": "bec0da399269a0638c30f1795aa989a675c3c6580414195505604ff3c001a8d9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|bec0da399269a0638c30f1795aa989a675c3c6580414195505604ff3c001a8d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128096, "scanner": "repobility-docker", "fingerprint": "d551e810e7b8a1407ed5cb607949ed486e61ee1b6d93f4565f89825f439e069a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d551e810e7b8a1407ed5cb607949ed486e61ee1b6d93f4565f89825f439e069a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128095, "scanner": "repobility-docker", "fingerprint": "83f432758bb38815978411bd62bf9300913e691f355cffcc075af8a3945060d8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|83f432758bb38815978411bd62bf9300913e691f355cffcc075af8a3945060d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128094, "scanner": "repobility-docker", "fingerprint": "556ca32a912b5aed058c4cc49e4001683f1b9d0b0b40ee69f280c29444620bde", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|556ca32a912b5aed058c4cc49e4001683f1b9d0b0b40ee69f280c29444620bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 128093, "scanner": "repobility-docker", "fingerprint": "92fcd141d907829687a2226e464907069d7cf120dd4a4e779fb4fc962ba0b39e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|92fcd141d907829687a2226e464907069d7cf120dd4a4e779fb4fc962ba0b39e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128089, "scanner": "repobility-docker", "fingerprint": "46a99684399310f57c2ac074950d4d74d75c764519cae6cbd27145bb132756df", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|46a99684399310f57c2ac074950d4d74d75c764519cae6cbd27145bb132756df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128082, "scanner": "repobility-docker", "fingerprint": "ddb6bb74400cef4f70a93ceaecc229081b0b8ca264d5ca792fae083978c1446b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ddb6bb74400cef4f70a93ceaecc229081b0b8ca264d5ca792fae083978c1446b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128081, "scanner": "repobility-docker", "fingerprint": "69ae6388cac5b1f5dbe3393dabaf0a0772e9397626280acbde6aaff9535c48a3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|69ae6388cac5b1f5dbe3393dabaf0a0772e9397626280acbde6aaff9535c48a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 128080, "scanner": "repobility-docker", "fingerprint": "1bea7c19f1d22bd5bd46ae87777ec907f1fd9c581cde979fc1de35a3256f4bda", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1bea7c19f1d22bd5bd46ae87777ec907f1fd9c581cde979fc1de35a3256f4bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128079, "scanner": "repobility-docker", "fingerprint": "d3dd0fa7fc4c10cc5a099bbb7a17e9611d00d434f9612d7f5f8f0138f7df9941", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d3dd0fa7fc4c10cc5a099bbb7a17e9611d00d434f9612d7f5f8f0138f7df9941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 128078, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6819dd2dd2949826381aa8ae09091da769da49b888c33569b6c9bc6f27a081a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/scaling_law_sweeps/c_adamc.py", "duplicate_line": 78, "correlation_key": "fp|6819dd2dd2949826381aa8ae09091da769da49b888c33569b6c9bc6f27a081a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/scaling_law_sweeps/completed_adamh.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5bd3a38a4592b482a6701cda2b74a37dcb20ed233baf1e1aa72146efa3b3957", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/moe/heuristic.py", "duplicate_line": 127, "correlation_key": "fp|d5bd3a38a4592b482a6701cda2b74a37dcb20ed233baf1e1aa72146efa3b3957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/scaling_law_sweeps/completed_adamh.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65aaab3464556d0eccb8e223e6cd482d3d950797129758d20fb03e879dfad102", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/moe/heuristic.py", "duplicate_line": 128, "correlation_key": "fp|65aaab3464556d0eccb8e223e6cd482d3d950797129758d20fb03e879dfad102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/scaling_law_sweeps/c_adamc.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ea9a1bd37181dde352a688d093493dfd53eb33ca00a592576a33f4864776252", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/rollout_data/coderforge.py", "duplicate_line": 15, "correlation_key": "fp|1ea9a1bd37181dde352a688d093493dfd53eb33ca00a592576a33f4864776252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/rollout_data/synthetic1.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ddfe48657fd4e9b51562e955404e0bcb4c802610a8aa9cbf704870c4f88caa6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/rollout_data/coderforge.py", "duplicate_line": 15, "correlation_key": "fp|8ddfe48657fd4e9b51562e955404e0bcb4c802610a8aa9cbf704870c4f88caa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/rollout_data/principia.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3187a4646d71cf01a793d58795c7da85569120f0d8c252c1b3e5270962011c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/rollout_data/coderforge.py", "duplicate_line": 15, "correlation_key": "fp|b3187a4646d71cf01a793d58795c7da85569120f0d8c252c1b3e5270962011c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/rollout_data/gpt_oss_rollouts.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f676288d8ee8aa3c460b117e35deb19562834a05e791662b58add73849928df7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/chat_templates/llama3pt1_chat_template.py", "duplicate_line": 6, "correlation_key": "fp|f676288d8ee8aa3c460b117e35deb19562834a05e791662b58add73849928df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/llama.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed845d1384bde2dc672f60035076abf63381571806bdc97ae655edcfe0004f9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/modular_opt/train.py", "duplicate_line": 52, "correlation_key": "fp|ed845d1384bde2dc672f60035076abf63381571806bdc97ae655edcfe0004f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/moe/train.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "046316366f98ca6557ad19e84fe85e6d243581782be34a6f074386838302fbc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/train.py", "duplicate_line": 67, "correlation_key": "fp|046316366f98ca6557ad19e84fe85e6d243581782be34a6f074386838302fbc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/moe/train.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128062, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43d2439c9e433c81821a73a5a850eb89cd86ca715c2911cb8b332a6e0219bfdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/model.py", "duplicate_line": 98, "correlation_key": "fp|43d2439c9e433c81821a73a5a850eb89cd86ca715c2911cb8b332a6e0219bfdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/moe/model.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128061, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89ae6603b5bad41d53eb31ffe699e253145223611f51d82851b88b4c5a0ecfc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/modular_opt/launch.py", "duplicate_line": 171, "correlation_key": "fp|89ae6603b5bad41d53eb31ffe699e253145223611f51d82851b88b4c5a0ecfc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/moe/launch.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128060, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f2575e6b51cbb0a89ed42919b232dc61910005501bbdec833ea257621f1562f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/launch.py", "duplicate_line": 34, "correlation_key": "fp|0f2575e6b51cbb0a89ed42919b232dc61910005501bbdec833ea257621f1562f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/moe/launch.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8ec795e620434fbca574a877245643d13de9f559b64dc5b820249107b4356a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/train.py", "duplicate_line": 62, "correlation_key": "fp|c8ec795e620434fbca574a877245643d13de9f559b64dc5b820249107b4356a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/modular_opt/train.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57db58cea2ad27f4dacbd73a70e6be75307f4c82ff3ba11ca71aea7e6ed82c20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/model.py", "duplicate_line": 18, "correlation_key": "fp|57db58cea2ad27f4dacbd73a70e6be75307f4c82ff3ba11ca71aea7e6ed82c20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/modular_opt/model.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d3a5ba4604cd7187673b3da28215d3f9d05fa3ab75c8e42a9bccb8041f9bbfe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/grug/base/launch.py", "duplicate_line": 36, "correlation_key": "fp|9d3a5ba4604cd7187673b3da28215d3f9d05fa3ab75c8e42a9bccb8041f9bbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/modular_opt/launch.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b8d05344eb0b1242ee7d67c2f66d408d1f6327c115abd6b6bbd9a35b153bd2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/testbed/train.py", "duplicate_line": 184, "correlation_key": "fp|0b8d05344eb0b1242ee7d67c2f66d408d1f6327c115abd6b6bbd9a35b153bd2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/grug/base/launch.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d826f446402ba962f2a8c1665ece73f7ac9b15cfdb6abd9f595e6eb58ab53985", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/ferries/datakit_ferry.py", "duplicate_line": 11, "correlation_key": "fp|d826f446402ba962f2a8c1665ece73f7ac9b15cfdb6abd9f595e6eb58ab53985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/ferries/datakit_tier2_skewed_ferry.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e979261e6ccd594c6b600f231d924120920f3d71d54a7f334987402f010cdb3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/ferries/datakit_ferry.py", "duplicate_line": 11, "correlation_key": "fp|9e979261e6ccd594c6b600f231d924120920f3d71d54a7f334987402f010cdb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/ferries/datakit_nemotron_ferry.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4b11c2acb7b20449eddf3d6d52f5c5e3b2d60325997ec7b8bbbae2baa870e43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/exp_model_perplexity_gap_code_interpretation_32b.py", "duplicate_line": 28, "correlation_key": "fp|f4b11c2acb7b20449eddf3d6d52f5c5e3b2d60325997ec7b8bbbae2baa870e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp_model_perplexity_gap_prompt_format_sensitivity_32b.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06e8357a93d86e9324d67eca9a163b83c742e48b9ee45a97364aefdf9fbd81a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/evals/model_perplexity_gap_suite.py", "duplicate_line": 92, "correlation_key": "fp|06e8357a93d86e9324d67eca9a163b83c742e48b9ee45a97364aefdf9fbd81a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp_model_perplexity_gap_prompt_format_sensitivity_32b.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36dd31c6596c7eef1c1715b21184603e7511f00c65977fa16919513da094e94c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/evals/model_perplexity_gap_suite.py", "duplicate_line": 92, "correlation_key": "fp|36dd31c6596c7eef1c1715b21184603e7511f00c65977fa16919513da094e94c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp_model_perplexity_gap_code_interpretation_32b.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3ab1c8c1a5acd34e18c527f14ed148bc2f48e0dc0067857eeb58b7acf60a2d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/exp1337_delphi_suite.py", "duplicate_line": 63, "correlation_key": "fp|a3ab1c8c1a5acd34e18c527f14ed148bc2f48e0dc0067857eeb58b7acf60a2d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp2166_scaling_ladder_analysis.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6073e4aa328c38c5a77c3a277047a2af1755733d44ed0d3b7b9fd5f6fbc082ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/evals/code_interpretation_ppl.py", "duplicate_line": 2, "correlation_key": "fp|6073e4aa328c38c5a77c3a277047a2af1755733d44ed0d3b7b9fd5f6fbc082ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/evals/prompt_format_sensitivity.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d625cc180df6b1e4d92a8b6d47ec1f103250fbca551b11ba95b6a4d59277fb50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/dedup/ops/fetch_cluster_texts.py", "duplicate_line": 74, "correlation_key": "fp|d625cc180df6b1e4d92a8b6d47ec1f103250fbca551b11ba95b6a4d59277fb50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/dedup/ops/fetch_cluster_texts_zephyr.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128047, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ac702fd16453afd4f5e18056195bd4b31d196d9680065559ab5485ce01d2f37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/decontam/ops/precision_analysis.py", "duplicate_line": 69, "correlation_key": "fp|8ac702fd16453afd4f5e18056195bd4b31d196d9680065559ab5485ce01d2f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/decontam/ops/recall_analysis.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0af09e135a9fcbb47ec56fa59b79cbb8fec504bb156bb46fe87c162cbe765fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/cluster/quality/v0/ops/eval_holdout.py", "duplicate_line": 155, "correlation_key": "fp|a0af09e135a9fcbb47ec56fa59b79cbb8fec504bb156bb46fe87c162cbe765fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/quality/v0/ops/eval_vs_dolma3.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4aac0e6e97c87abcea0311fb3f7ee8177e5663e93c2bf81be368b815e280bcc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/cluster/quality/dolma3_quality/all_sources_quality.py", "duplicate_line": 80, "correlation_key": "fp|4aac0e6e97c87abcea0311fb3f7ee8177e5663e93c2bf81be368b815e280bcc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/quality/v0/all_sources_quality_llm.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9fba5aa1e9f498b09e450113785a310a1ce8ada5f030db83721415d3b804e28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/cluster/domain/weborganizer/all_sources_topic.py", "duplicate_line": 77, "correlation_key": "fp|f9fba5aa1e9f498b09e450113785a310a1ce8ada5f030db83721415d3b804e28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/quality/v0/all_sources_quality_llm.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfb55e99b4e0c2db77c5684244e1ec9bd107e5c9a3724dcba144a123e2c8ebef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/cluster/domain/weborganizer/all_sources_topic.py", "duplicate_line": 77, "correlation_key": "fp|cfb55e99b4e0c2db77c5684244e1ec9bd107e5c9a3724dcba144a123e2c8ebef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/quality/dolma3_quality/all_sources_quality.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02911694e87a93ce90c036fb760d981c8518805bdeadf7784131e6865f22d260", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experiments/datakit/cluster/domain/v0/exp_full_clusters.py", "duplicate_line": 132, "correlation_key": "fp|02911694e87a93ce90c036fb760d981c8518805bdeadf7784131e6865f22d260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/ops/exp_smoke.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128036, "scanner": "repobility-threat-engine", "fingerprint": "de2c64a60730da6de605784b5996be20974f8f2e10cfd088c382ec8388b570a4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'/api/rules/' + id + '/cost'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de2c64a60730da6de605784b5996be20974f8f2e10cfd088c382ec8388b570a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/api.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_inject_special_tokens` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=3, nested_bonus=6."}, "properties": {"repobilityId": 127976, "scanner": "repobility-threat-engine", "fingerprint": "64daa4e3b949d83ece81964528edc5c267b2f54fec73b4c3000733e844876655", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_inject_special_tokens", "breakdown": {"if": 3, "for": 2, "nested_bonus": 6}, "complexity": 11, "correlation_key": "fp|64daa4e3b949d83ece81964528edc5c267b2f54fec73b4c3000733e844876655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/create_marin_tokenizer.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `plot_trajectories` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=2, if=3, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 127975, "scanner": "repobility-threat-engine", "fingerprint": "81c667f54f7f7d5633fdc7229dc9369aae0f509bdb0985da2514db6c0d01afd8", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "plot_trajectories", "breakdown": {"if": 3, "for": 2, "else": 2, "ternary": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|81c667f54f7f7d5633fdc7229dc9369aae0f509bdb0985da2514db6c0d01afd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/design/plot_plateau_detection.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 128103, "scanner": "repobility-docker", "fingerprint": "39f135b6ad112f02eb923ea2c2b21a3fc8ccd1da3c226535b844c8c390a4ede9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${IMAGE}:${TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|39f135b6ad112f02eb923ea2c2b21a3fc8ccd1da3c226535b844c8c390a4ede9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.incremental"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 128099, "scanner": "repobility-docker", "fingerprint": "675a8f2e9444070093239f5973ab6ab226cdb6b80230bd00aa3658b8e9c58c3f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${IMAGE}:${TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|675a8f2e9444070093239f5973ab6ab226cdb6b80230bd00aa3658b8e9c58c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.cluster"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 128039, "scanner": "repobility-threat-engine", "fingerprint": "78b47bacbb4b68d8c24a9df0e9e7d0be0de200d25811db3a1c7b1ca6cffb8e4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78b47bacbb4b68d8c24a9df0e9e7d0be0de200d25811db3a1c7b1ca6cffb8e4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pm/gh_issues_from_markdown.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 128038, "scanner": "repobility-threat-engine", "fingerprint": "d3a8e9c8500445f83cbb1df4c66ea384b3393caad0febe031f5d525c362839ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3a8e9c8500445f83cbb1df4c66ea384b3393caad0febe031f5d525c362839ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pm/gh_issues_from_markdown.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 128031, "scanner": "repobility-threat-engine", "fingerprint": "de1cf28d4be567d72467a52ca8f61ae74a513a6bf554777cbd3163722b68f760", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|de1cf28d4be567d72467a52ca8f61ae74a513a6bf554777cbd3163722b68f760", "aggregated_count": 3}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128030, "scanner": "repobility-threat-engine", "fingerprint": "5a799e09daec3645282140859c981fc6214ca042cc8fdfe58d28f8c8f80a1d1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a799e09daec3645282140859c981fc6214ca042cc8fdfe58d28f8c8f80a1d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/src/query/udf.rs"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128029, "scanner": "repobility-threat-engine", "fingerprint": "ce455c2021db2b09bb35256e34a6dc48bce6300790cc408cd05768920a0d43bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce455c2021db2b09bb35256e34a6dc48bce6300790cc408cd05768920a0d43bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/src/main.rs"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128028, "scanner": "repobility-threat-engine", "fingerprint": "5870caef44f887680032a6629f65142ef92790cf71f1ad5ccb1c7ccf75ac932a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5870caef44f887680032a6629f65142ef92790cf71f1ad5ccb1c7ccf75ac932a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/build.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 128027, "scanner": "repobility-threat-engine", "fingerprint": "1f2fc65d39310bdb943b9d7192adfaaf356cfc924d7dfd10683d4e26ec678f3e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1f2fc65d39310bdb943b9d7192adfaaf356cfc924d7dfd10683d4e26ec678f3e", "aggregated_count": 10}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 128023, "scanner": "repobility-threat-engine", "fingerprint": "c71b598e5dc967c772ff759a8f763d20cf2bc994582f7b3b14e782ad07c742c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c71b598e5dc967c772ff759a8f763d20cf2bc994582f7b3b14e782ad07c742c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/dupekit/src/minhash_ops.rs"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128022, "scanner": "repobility-threat-engine", "fingerprint": "80dbb6272df12c87dfe22eaa2349e4003162b1c041902fd952ad519fd79d2bea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80dbb6272df12c87dfe22eaa2349e4003162b1c041902fd952ad519fd79d2bea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/status-page/server/main.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 128015, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128014, "scanner": "repobility-threat-engine", "fingerprint": "51b8335aec4767d9e1938ca46964b9ebca9eb634c95dbc814f4d9b14b982669f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51b8335aec4767d9e1938ca46964b9ebca9eb634c95dbc814f4d9b14b982669f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/probes/deploy/deploy.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128013, "scanner": "repobility-threat-engine", "fingerprint": "67d72ff04e383a0014e2d5f76565fe3f8b4fa15982f2263263a1e6534f1efc7b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67d72ff04e383a0014e2d5f76565fe3f8b4fa15982f2263263a1e6534f1efc7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/iris-iap-proxy/discovery.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128012, "scanner": "repobility-threat-engine", "fingerprint": "364b10d949e3f00068cc8366d6963b801c6e3cb7014fb8565c14f39f149c2bb5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|364b10d949e3f00068cc8366d6963b801c6e3cb7014fb8565c14f39f149c2bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/proxy.py"}, "region": {"startLine": 305}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128011, "scanner": "repobility-threat-engine", "fingerprint": "3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 128006, "scanner": "repobility-threat-engine", "fingerprint": "0e87fb84ca93ee29f593dc34b2e01034b2b11f7cd91040a7dfa844a7632b0d1e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0e87fb84ca93ee29f593dc34b2e01034b2b11f7cd91040a7dfa844a7632b0d1e", "aggregated_count": 6}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 128005, "scanner": "repobility-threat-engine", "fingerprint": "2040f6f265d2746fe9d56530617d5d63b14208d5c38ff00469f6bacd9ca85e74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2040f6f265d2746fe9d56530617d5d63b14208d5c38ff00469f6bacd9ca85e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/proxy.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 128004, "scanner": "repobility-threat-engine", "fingerprint": "9d73f525e95a54eedd6d2a78477b426cc514f721f76af3cf64bf166011a89a2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d73f525e95a54eedd6d2a78477b426cc514f721f76af3cf64bf166011a89a2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/posttrain/preference_datasets.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 128003, "scanner": "repobility-threat-engine", "fingerprint": "5aeab9018e2f391558cf2c6c4e81bd3cdfd2c70e3ec91ca7a1cee7c2d5492b28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5aeab9018e2f391558cf2c6c4e81bd3cdfd2c70e3ec91ca7a1cee7c2d5492b28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/plantcad/exp1729_plantcad_train.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 128002, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 127998, "scanner": "repobility-threat-engine", "fingerprint": "4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819"}}}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 127994, "scanner": "repobility-threat-engine", "fingerprint": "c033f2c7952ffdbfd59e294bbe1e231baee5cec5370d05f7c16e53e797fb6e32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c033f2c7952ffdbfd59e294bbe1e231baee5cec5370d05f7c16e53e797fb6e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/decontam/ops/recall_analysis.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 127993, "scanner": "repobility-threat-engine", "fingerprint": "30c9c8210ee93f4c707fb109a8b9e9bd2db542381893875271b3e9d2d6277ecb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30c9c8210ee93f4c707fb109a8b9e9bd2db542381893875271b3e9d2d6277ecb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/quality/v0/rubric.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 127992, "scanner": "repobility-threat-engine", "fingerprint": "de39db7de9ed5748fe952933d53642032499de6485f9c376293df79904677a3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de39db7de9ed5748fe952933d53642032499de6485f9c376293df79904677a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/create_marin_tokenizer.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 127991, "scanner": "repobility-threat-engine", "fingerprint": "ca934588c6d63595734e6ff8869b2ec0417aefcb029d8326d9b08376f4b38177", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ca934588c6d63595734e6ff8869b2ec0417aefcb029d8326d9b08376f4b38177", "aggregated_count": 6}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127990, "scanner": "repobility-threat-engine", "fingerprint": "fd518d839ef26fa3647acc9c0927f479362c48934dccfe5051d7aca66e6e5d9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd518d839ef26fa3647acc9c0927f479362c48934dccfe5051d7aca66e6e5d9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp2166_scaling_ladder_analysis.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127989, "scanner": "repobility-threat-engine", "fingerprint": "5b4e8adb21839fe2d4d3aa286f49759429ab9e2385bc4b21bd8dcb7cfd7ec5cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b4e8adb21839fe2d4d3aa286f49759429ab9e2385bc4b21bd8dcb7cfd7ec5cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp1337_delphi_suite.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127988, "scanner": "repobility-threat-engine", "fingerprint": "34bd75e70197c5198d2951d69830250de9249ff06c0d19f4132058bd466eec8a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34bd75e70197c5198d2951d69830250de9249ff06c0d19f4132058bd466eec8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/create_marin_tokenizer.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 127987, "scanner": "repobility-threat-engine", "fingerprint": "07871f2f2d51c51c8dfed34ea234620430442a7d3ea2e03c868a7ef341ab143b", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|07871f2f2d51c51c8dfed34ea234620430442a7d3ea2e03c868a7ef341ab143b"}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 127983, "scanner": "repobility-threat-engine", "fingerprint": "e0c331a47e5302de477ea3f98b1d759fb45df2092d3716a64a31fe7905045b62", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e0c331a47e5302de477ea3f98b1d759fb45df2092d3716a64a31fe7905045b62", "aggregated_count": 20}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 127982, "scanner": "repobility-threat-engine", "fingerprint": "5594d9406c8d48117d8073b53ff1be31eb94f5f63524493508fc3f8528edaefb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5594d9406c8d48117d8073b53ff1be31eb94f5f63524493508fc3f8528edaefb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/testbed/train.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 127981, "scanner": "repobility-threat-engine", "fingerprint": "7983c1297c18b333ef8ecbed18a6bbfed12ee1082d26b2f73f90aa4801d08a22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7983c1297c18b333ef8ecbed18a6bbfed12ee1082d26b2f73f90aa4801d08a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/testbed/mixture.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 127980, "scanner": "repobility-threat-engine", "fingerprint": "d9ed8fa2fab334c77f21da94d8f3a89e031fabfb11ec440a417c0376cf0e67e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9ed8fa2fab334c77f21da94d8f3a89e031fabfb11ec440a417c0376cf0e67e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/bio_chem_notation.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "properties": {"repobilityId": 127978, "scanner": "repobility-threat-engine", "fingerprint": "e6ffd8dac35215126fe44a131681c4ff601b22310456d26c77f0be77a3143c7c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 61 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "plot_trajectories", "breakdown": {"if": 3, "for": 2, "else": 2, "ternary": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 12, "correlation_key": "fp|e6ffd8dac35215126fe44a131681c4ff601b22310456d26c77f0be77a3143c7c", "aggregated_count": 61}}}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/marin-community/iris-task:latest` not pinned by digest: `FROM ghcr.io/marin-community/iris-task:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128299, "scanner": "repobility-supply-chain", "fingerprint": "fbba181f8d2f39634886c4c669835665eb4f546107e0b70ba08f01f5f38226f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbba181f8d2f39634886c4c669835665eb4f546107e0b70ba08f01f5f38226f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google-github-actions/setup-gcloud` pinned to mutable ref `@v2`: `uses: google-github-actions/setup-gcloud@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128275, "scanner": "repobility-supply-chain", "fingerprint": "2ae6e710a734c1ecf545d8663652050e6d4ecba85de265c7f493d7aea4845879", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ae6e710a734c1ecf545d8663652050e6d4ecba85de265c7f493d7aea4845879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-canary-datakit-tier3.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google-github-actions/auth` pinned to mutable ref `@v2`: `uses: google-github-actions/auth@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128274, "scanner": "repobility-supply-chain", "fingerprint": "e7e988a1c58ae32625b03517c5fe39c9c7886ac2eaa551f6028980d8db69406e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7e988a1c58ae32625b03517c5fe39c9c7886ac2eaa551f6028980d8db69406e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-canary-datakit-tier3.yaml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128273, "scanner": "repobility-supply-chain", "fingerprint": "3b60176b77774ec971fdc79d4b873b8e87bd57046f9466f053ba851a1158e9ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b60176b77774ec971fdc79d4b873b8e87bd57046f9466f053ba851a1158e9ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-canary-datakit-tier3.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128272, "scanner": "repobility-supply-chain", "fingerprint": "692454ee45708fd09d4ee1d673726d9bf3a19a175ece3d6cb9caf4e9ffeab70c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|692454ee45708fd09d4ee1d673726d9bf3a19a175ece3d6cb9caf4e9ffeab70c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-canary-datakit-tier3.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128271, "scanner": "repobility-supply-chain", "fingerprint": "447c50a58bae90ae1eee01bacda61f972e9aa84d2905b079efe14e59f0bb2763", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|447c50a58bae90ae1eee01bacda61f972e9aa84d2905b079efe14e59f0bb2763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-canary-datakit-tier3.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v5`: `uses: astral-sh/setup-uv@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128270, "scanner": "repobility-supply-chain", "fingerprint": "3b93f6a923f926a662933538169c40462c849f8528013ef45026a9b827cd1f69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b93f6a923f926a662933538169c40462c849f8528013ef45026a9b827cd1f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128269, "scanner": "repobility-supply-chain", "fingerprint": "29656c4224e9b8a88b4a3097ef74165802328f6387a33bfde6d7e2615789152c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29656c4224e9b8a88b4a3097ef74165802328f6387a33bfde6d7e2615789152c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128268, "scanner": "repobility-supply-chain", "fingerprint": "79c44b4b936ce800163312e015398a80ccc9ab139942df2e98f8f5ab9f5e26d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79c44b4b936ce800163312e015398a80ccc9ab139942df2e98f8f5ab9f5e26d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v5`: `uses: astral-sh/setup-uv@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128267, "scanner": "repobility-supply-chain", "fingerprint": "3f3513aa0c3df99c9795bfeafe453fc8f2ea6f31b22bc27dbf28e1471b4e56b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f3513aa0c3df99c9795bfeafe453fc8f2ea6f31b22bc27dbf28e1471b4e56b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128266, "scanner": "repobility-supply-chain", "fingerprint": "1e7c343f1aa6acc76723da942f95a5fe27dd14c6d0d74c9b65ccc91ce375a175", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e7c343f1aa6acc76723da942f95a5fe27dd14c6d0d74c9b65ccc91ce375a175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128265, "scanner": "repobility-supply-chain", "fingerprint": "8ca10d9d4234bdd65a5a8ffc7e171bf51bc1e90ad1c38288edf31849775488e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ca10d9d4234bdd65a5a8ffc7e171bf51bc1e90ad1c38288edf31849775488e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v5`: `uses: astral-sh/setup-uv@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128264, "scanner": "repobility-supply-chain", "fingerprint": "c07d83147e35276882717005f65138724f29a077f5d6eeee2158d81edb1f35c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c07d83147e35276882717005f65138724f29a077f5d6eeee2158d81edb1f35c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128263, "scanner": "repobility-supply-chain", "fingerprint": "4e6467295724c25f78e6f1525c956941d0fed819a49a4e60783e455500ff55dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e6467295724c25f78e6f1525c956941d0fed819a49a4e60783e455500ff55dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128262, "scanner": "repobility-supply-chain", "fingerprint": "9b8f57bfd34994980bfd2696b04b999ecbec0067e959b9933a48706b0c985345", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b8f57bfd34994980bfd2696b04b999ecbec0067e959b9933a48706b0c985345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v6`: `uses: astral-sh/setup-uv@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128261, "scanner": "repobility-supply-chain", "fingerprint": "356e186c732df5ed477131738edaf53af7ba9c643748340e4ab9b930673c4e1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|356e186c732df5ed477131738edaf53af7ba9c643748340e4ab9b930673c4e1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zephyr-unit.yaml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128260, "scanner": "repobility-supply-chain", "fingerprint": "a485fa155df218e130ea93d1ada0eef1b1bb8772d55168af11d2d4041a49f881", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a485fa155df218e130ea93d1ada0eef1b1bb8772d55168af11d2d4041a49f881"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zephyr-unit.yaml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128259, "scanner": "repobility-supply-chain", "fingerprint": "f50d79480c7634df156f08700dc50a765bd4558b26b368bfb0acf2bc737de5d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f50d79480c7634df156f08700dc50a765bd4558b26b368bfb0acf2bc737de5d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zephyr-unit.yaml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128258, "scanner": "repobility-supply-chain", "fingerprint": "f2e91e79c5145205d2618ada24397715f0cec6826abfb97ded962b4b9f230d4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2e91e79c5145205d2618ada24397715f0cec6826abfb97ded962b4b9f230d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zephyr-unit.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128257, "scanner": "repobility-supply-chain", "fingerprint": "43851730ef49627072dc89978f9aa8ec32de895a62b21ae41af0c9796472f188", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43851730ef49627072dc89978f9aa8ec32de895a62b21ae41af0c9796472f188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zephyr-unit.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128256, "scanner": "repobility-supply-chain", "fingerprint": "eb3c0a89f48b97b9210bf6415ad2dae30049679b86635957a0c9c7c14eb7899a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb3c0a89f48b97b9210bf6415ad2dae30049679b86635957a0c9c7c14eb7899a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-codeql.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128255, "scanner": "repobility-supply-chain", "fingerprint": "094815c743dc2cfe4666d0374ef8c9e2d7513ca22f01fe16d451b8679ac45c7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|094815c743dc2cfe4666d0374ef8c9e2d7513ca22f01fe16d451b8679ac45c7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-codeql.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128254, "scanner": "repobility-supply-chain", "fingerprint": "c2c581d2bc631c1c529e362d3ba1ec70b931d0cf269b7505a900dfba2bf5f43f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2c581d2bc631c1c529e362d3ba1ec70b931d0cf269b7505a900dfba2bf5f43f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-codeql.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128253, "scanner": "repobility-supply-chain", "fingerprint": "fee4ce1f949020f52ef71683540d5877d9bad733bb5080a95003c5a2d6ff0c7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fee4ce1f949020f52ef71683540d5877d9bad733bb5080a95003c5a2d6ff0c7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-lint.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v6`: `uses: astral-sh/setup-uv@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128252, "scanner": "repobility-supply-chain", "fingerprint": "8aa86619fdea401d0ba752e6cd0fb8354aae56f6d28e4a7cb810d71c0af4df42", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8aa86619fdea401d0ba752e6cd0fb8354aae56f6d28e4a7cb810d71c0af4df42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-lint.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128251, "scanner": "repobility-supply-chain", "fingerprint": "20604b293840b8ec76aee2fd699f7aaaf9b8c8dcfc0d6ba39e76f27e56c252b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20604b293840b8ec76aee2fd699f7aaaf9b8c8dcfc0d6ba39e76f27e56c252b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-lint.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128250, "scanner": "repobility-supply-chain", "fingerprint": "65266b5f26c938349fd09f17ce2d9b257dba8366851a7d6ac80bf121b050870f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65266b5f26c938349fd09f17ce2d9b257dba8366851a7d6ac80bf121b050870f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/probes/deploy/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128249, "scanner": "repobility-supply-chain", "fingerprint": "9663d0f26aaf0812d6d8b63b88a8192aa97a055534dd09a8cf528a203e8c6e30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9663d0f26aaf0812d6d8b63b88a8192aa97a055534dd09a8cf528a203e8c6e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/iris-iap-proxy/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128248, "scanner": "repobility-supply-chain", "fingerprint": "7032968335a16d0cf1678d20b683e0d064017f20cc40601290755af0c527eed8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7032968335a16d0cf1678d20b683e0d064017f20cc40601290755af0c527eed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/status-page/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128247, "scanner": "repobility-supply-chain", "fingerprint": "4d3a4e60ed3681e3ea6a3cd0d1a03c358d905da3c6cfe44ccbd3662e500bbdc3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d3a4e60ed3681e3ea6a3cd0d1a03c358d905da3c6cfe44ccbd3662e500bbdc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/status-page/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128246, "scanner": "repobility-supply-chain", "fingerprint": "42b78535331ae1280d9e8e49132a25e21e4c44f9004faba17ce378af3edabc3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42b78535331ae1280d9e8e49132a25e21e4c44f9004faba17ce378af3edabc3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128245, "scanner": "repobility-supply-chain", "fingerprint": "5158751d0d2d1d9235a7b5fa11eed410ef82ca316baf48922a265ed02a986637", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5158751d0d2d1d9235a7b5fa11eed410ef82ca316baf48922a265ed02a986637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/docker/tpu/Dockerfile.base"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128234, "scanner": "repobility-supply-chain", "fingerprint": "c853778fcdc2578c20c9f01fa5a56d882cc0280718d0ddb2da1f4a18ac02ce30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c853778fcdc2578c20c9f01fa5a56d882cc0280718d0ddb2da1f4a18ac02ce30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/deploy/Dockerfile"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1-bookworm` not pinned by digest: `FROM rust:1-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128233, "scanner": "repobility-supply-chain", "fingerprint": "1f741d1ed0edcc3ebf7e2c170f1370a6b8d9306cf54f5debd343a4b05354f40b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f741d1ed0edcc3ebf7e2c170f1370a6b8d9306cf54f5debd343a4b05354f40b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/deploy/Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128232, "scanner": "repobility-supply-chain", "fingerprint": "3f04cac2fc217c14804560f6eb093a9772729fe17a92f4812030eeb6b8bd4bfb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f04cac2fc217c14804560f6eb093a9772729fe17a92f4812030eeb6b8bd4bfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/deploy/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128231, "scanner": "repobility-supply-chain", "fingerprint": "f4573f8fa9be2ca29ed4d08705934fa10f9b745a069a6cb08f836a609b7271d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4573f8fa9be2ca29ed4d08705934fa10f9b745a069a6cb08f836a609b7271d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128230, "scanner": "repobility-supply-chain", "fingerprint": "508a47678b2fb845a9df55717cd2ffa53e3bbe37a7d9181bcd403134b494c208", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|508a47678b2fb845a9df55717cd2ffa53e3bbe37a7d9181bcd403134b494c208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128229, "scanner": "repobility-supply-chain", "fingerprint": "10220f72002b889e67500c141120de4a39d416536fce1ea0ac52a485e87684fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10220f72002b889e67500c141120de4a39d416536fce1ea0ac52a485e87684fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rayproject/ray:2.53.0-py311-cpu` not pinned by digest: `FROM rayproject/ray:2.53.0-py311-cpu` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128228, "scanner": "repobility-supply-chain", "fingerprint": "3ab5755199dd45de34ddf22d575131d4144c10756fce7189931bbb59d2c22b0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ab5755199dd45de34ddf22d575131d4144c10756fce7189931bbb59d2c22b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.91-slim` not pinned by digest: `FROM rust:1.91-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128227, "scanner": "repobility-supply-chain", "fingerprint": "dffcbece968de07e7fb1d17bd0e869b66c8b8f67b842119eb04a5d06c7d78f26", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dffcbece968de07e7fb1d17bd0e869b66c8b8f67b842119eb04a5d06c7d78f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128226, "scanner": "repobility-supply-chain", "fingerprint": "a74b04e79589b34b0b2fd70d4e21378c99b5df23312c38b05474f4f59c19aac5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a74b04e79589b34b0b2fd70d4e21378c99b5df23312c38b05474f4f59c19aac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.vllm"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128225, "scanner": "repobility-supply-chain", "fingerprint": "8d4debc02b5322dbab4b229c16a0cfdf1d79cee743094696bed3f674c6a6b1ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d4debc02b5322dbab4b229c16a0cfdf1d79cee743094696bed3f674c6a6b1ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.tpu-ci"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/tokens has no auth: Handler `fetch_tokens` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128224, "scanner": "repobility-route-auth", "fingerprint": "889aa7b9edd49d9e716263755c6dfa50f45ac19a5de0bd235bc5a583a3ec192b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|889aa7b9edd49d9e716263755c6dfa50f45ac19a5de0bd235bc5a583a3ec192b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/src/levanter/inference/openai.py"}, "region": {"startLine": 768}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/completions has no auth: Handler `create_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128223, "scanner": "repobility-route-auth", "fingerprint": "48377dbcaebfc8fa95ebb2d33659b91c0229fc5f5f2c9a4889d4b41718311111", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|48377dbcaebfc8fa95ebb2d33659b91c0229fc5f5f2c9a4889d4b41718311111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/src/levanter/inference/openai.py"}, "region": {"startLine": 764}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/chat/completions has no auth: Handler `create_chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128222, "scanner": "repobility-route-auth", "fingerprint": "03adb3121fbfc19f24a8564bc235b33bcc14d4dde28d6656058aa059cb0f6439", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|03adb3121fbfc19f24a8564bc235b33bcc14d4dde28d6656058aa059cb0f6439"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/levanter/src/levanter/inference/openai.py"}, "region": {"startLine": 760}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH iris.cluster.controller.autoscaler.runtime._probe_worker_health has no auth: Handler `test_demand_cascades_through_priority_groups_on_backoff` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128221, "scanner": "repobility-route-auth", "fingerprint": "7e6818074b1df7c6a93913d98574aa2db00b60e03fa3a1555ea0704e1db2bfef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7e6818074b1df7c6a93913d98574aa2db00b60e03fa3a1555ea0704e1db2bfef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/controller/test_autoscaler_integration.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/sync has no auth: Handler `trigger_sync` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128220, "scanner": "repobility-route-auth", "fingerprint": "4ad9e412184dfd0fefb545360153e73ab4bca7f42f8da679fab9c730cccb9d98", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4ad9e412184dfd0fefb545360153e73ab4bca7f42f8da679fab9c730cccb9d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 1368}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/delete-patterns/estimate has no auth: Handler `estimate_delete_patterns` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128219, "scanner": "repobility-route-auth", "fingerprint": "597250739995bd38969c70d3abcd818ebf9a8b9d0d53d9580dbf234f99e3936a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|597250739995bd38969c70d3abcd818ebf9a8b9d0d53d9580dbf234f99e3936a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 1031}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/delete-rules/{rule_id} has no auth: Handler `remove_delete_rule` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128218, "scanner": "repobility-route-auth", "fingerprint": "eed7725dd7b0c5025f8c81b08b1428fa8fecbe7fc153aaa4453ab9a75ff2bee5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|eed7725dd7b0c5025f8c81b08b1428fa8fecbe7fc153aaa4453ab9a75ff2bee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 1020}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/delete-rules has no auth: Handler `create_delete_rule` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128217, "scanner": "repobility-route-auth", "fingerprint": "328d336e3095d9e222744e071c537e061acc3af63c0b46d2bd865bdd992ed1cb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|328d336e3095d9e222744e071c537e061acc3af63c0b46d2bd865bdd992ed1cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 1000}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/rules/{rule_id} has no auth: Handler `remove_protect_rule` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128216, "scanner": "repobility-route-auth", "fingerprint": "91b171817f2b2f6107a3ae6407298c648cd4a930e89239ef864c824e8beec979", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|91b171817f2b2f6107a3ae6407298c648cd4a930e89239ef864c824e8beec979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 780}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/rules has no auth: Handler `create_protect_rule` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128215, "scanner": "repobility-route-auth", "fingerprint": "b7407a2f2b1146d059acf9b7846d628617d87d4f5ec2b74c9496f45081c7e83e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b7407a2f2b1146d059acf9b7846d628617d87d4f5ec2b74c9496f45081c7e83e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 758}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/login has no auth: Handler `login` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 128214, "scanner": "repobility-route-auth", "fingerprint": "fb69f4e89d668083009fde0d4253dc3ff0756820e4d68d1613b62d3e80ebb29e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fb69f4e89d668083009fde0d4253dc3ff0756820e4d68d1613b62d3e80ebb29e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ops/storage/dashboard/server.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.extend` inside async function `_fetch_until_requests`: `requests.extend` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 128185, "scanner": "repobility-ast-engine", "fingerprint": "62d5e55458a60f88dcc3a7f224937c245ba330f984a3b858dab0e62e07f81209", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62d5e55458a60f88dcc3a7f224937c245ba330f984a3b858dab0e62e07f81209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/test_inference_proxy.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._stub_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128184, "scanner": "repobility-ast-engine", "fingerprint": "4a7e3d39c22d3e6a90dfde438bf1668a21fed411160dfeb9c1cccba734e08ad4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a7e3d39c22d3e6a90dfde438bf1668a21fed411160dfeb9c1cccba734e08ad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128183, "scanner": "repobility-ast-engine", "fingerprint": "3a99292512b1f76006ab323b62247a909070d1687f18f57764b70c655c057b45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a99292512b1f76006ab323b62247a909070d1687f18f57764b70c655c057b45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128182, "scanner": "repobility-ast-engine", "fingerprint": "995bdaf2d43756ee3c5f7896e44238c56a87df7e2b2d6b0aaba0ae494ac118b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|995bdaf2d43756ee3c5f7896e44238c56a87df7e2b2d6b0aaba0ae494ac118b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128181, "scanner": "repobility-ast-engine", "fingerprint": "c3d6686a45d6e590406cfd827ab9e28ec2f624f7b5bac14b7bb9200841b9385e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3d6686a45d6e590406cfd827ab9e28ec2f624f7b5bac14b7bb9200841b9385e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128180, "scanner": "repobility-ast-engine", "fingerprint": "e620a271f35950a4aa7ce6bf403a2b7ef8412ee07b27f68058aade3680733090", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e620a271f35950a4aa7ce6bf403a2b7ef8412ee07b27f68058aade3680733090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128179, "scanner": "repobility-ast-engine", "fingerprint": "ac2dca376ad9e585e3f50eb8a473b18e40e512f435cbf42601e2a370e7a087e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac2dca376ad9e585e3f50eb8a473b18e40e512f435cbf42601e2a370e7a087e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._stub_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128178, "scanner": "repobility-ast-engine", "fingerprint": "6b6150476926b2b029bbd807b5f890c927990dac6014aba350e92c03b4291a81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b6150476926b2b029bbd807b5f890c927990dac6014aba350e92c03b4291a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `_handle_completions` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128177, "scanner": "repobility-ast-engine", "fingerprint": "556cb3307e189f1b7b2d8b2952eaac97c9b878bbbeb0edc632d62229d3cb96fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|556cb3307e189f1b7b2d8b2952eaac97c9b878bbbeb0edc632d62229d3cb96fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.server` used but never assigned in __init__: Method `_stub_server` of class `_DeterministicOpenAIHandler` reads `self.server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128176, "scanner": "repobility-ast-engine", "fingerprint": "64aab0d3b6ec9e9236daaf3cd864b67acaaf710bdfad35479a9761daeabc0b3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64aab0d3b6ec9e9236daaf3cd864b67acaaf710bdfad35479a9761daeabc0b3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_chat_completions` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self._handle_chat_completions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128175, "scanner": "repobility-ast-engine", "fingerprint": "c04e4c903b992d9a33681839d2bb2acbae79d9165b4282a35d7208848feb21c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c04e4c903b992d9a33681839d2bb2acbae79d9165b4282a35d7208848feb21c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_completions` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self._handle_completions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128174, "scanner": "repobility-ast-engine", "fingerprint": "2b885ded0848aca6853aea3a901d1a036cb40e6eb40b98a47d4c30c0b98aa06d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2b885ded0848aca6853aea3a901d1a036cb40e6eb40b98a47d4c30c0b98aa06d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128173, "scanner": "repobility-ast-engine", "fingerprint": "61684febf4fc504027d81842fbbf5a22dd24b9ea3a590687e5382006470c44d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|61684febf4fc504027d81842fbbf5a22dd24b9ea3a590687e5382006470c44d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128172, "scanner": "repobility-ast-engine", "fingerprint": "ec83f298be13d7601db9b8d21966b8f908949cb11427a89574c4f9001428580a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec83f298be13d7601db9b8d21966b8f908949cb11427a89574c4f9001428580a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128171, "scanner": "repobility-ast-engine", "fingerprint": "cf777d1e729006e73444ec4969b5a0a2f27d942c5d3a0fe97ea188d172ffa415", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf777d1e729006e73444ec4969b5a0a2f27d942c5d3a0fe97ea188d172ffa415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._read_json` used but never assigned in __init__: Method `do_POST` of class `_DeterministicOpenAIHandler` reads `self._read_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128170, "scanner": "repobility-ast-engine", "fingerprint": "cadd3072647aacfdb398c2ec19a984984b5e7daa6bafb1b70934d5accc96a5bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cadd3072647aacfdb398c2ec19a984984b5e7daa6bafb1b70934d5accc96a5bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self._stub_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128169, "scanner": "repobility-ast-engine", "fingerprint": "75f57b523b3f912c9f195ecc3fdb0cf14fe8516ea2956fb07c4f089b63202267", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75f57b523b3f912c9f195ecc3fdb0cf14fe8516ea2956fb07c4f089b63202267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stub_server` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self._stub_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128168, "scanner": "repobility-ast-engine", "fingerprint": "f0279d1467c162cb61f80dbea76761ee2820cd9b60b5956a2258159439e1d707", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0279d1467c162cb61f80dbea76761ee2820cd9b60b5956a2258159439e1d707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128167, "scanner": "repobility-ast-engine", "fingerprint": "5aedb3c82d5647b5472c9e21d725a3c91fd8c2e2644d92ee9346ca2da326adb1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5aedb3c82d5647b5472c9e21d725a3c91fd8c2e2644d92ee9346ca2da326adb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128166, "scanner": "repobility-ast-engine", "fingerprint": "32a7e0b387a1a19fe811597f970742a25eabcbf2987aba5e8e4792a4e3a84343", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32a7e0b387a1a19fe811597f970742a25eabcbf2987aba5e8e4792a4e3a84343"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._write_json` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self._write_json`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128165, "scanner": "repobility-ast-engine", "fingerprint": "23c7061215eaa0be319f6caf704d956b75f02ea21e606a109c093c06fb032006", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23c7061215eaa0be319f6caf704d956b75f02ea21e606a109c093c06fb032006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `_DeterministicOpenAIHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128164, "scanner": "repobility-ast-engine", "fingerprint": "b0996f0fe2ec08fdb41307a1aeca47ab27409dcb8efe32dba8b79b2aa9cd5391", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0996f0fe2ec08fdb41307a1aeca47ab27409dcb8efe32dba8b79b2aa9cd5391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/evals/openai_stub.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.cache_dir` used but never assigned in __init__: Method `load_cache` of class `MockDatasetSource` reads `self.cache_dir`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128161, "scanner": "repobility-ast-engine", "fingerprint": "039f6bd0c8d1ded2281baf9886cd34105f0425280aadad99565b50c77d82f6d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|039f6bd0c8d1ded2281baf9886cd34105f0425280aadad99565b50c77d82f6d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_slice_cache.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.cache_dir` used but never assigned in __init__: Method `load_cache` of class `MockDatasetSource` reads `self.cache_dir`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128160, "scanner": "repobility-ast-engine", "fingerprint": "5538429276f081adf68dcee1d3a53ffbc07acd5e8c8568384ef218cc2f24fbb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5538429276f081adf68dcee1d3a53ffbc07acd5e8c8568384ef218cc2f24fbb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_slice_cache.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_slice_cache_too_small: Test function `test_slice_cache_too_small` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128159, "scanner": "repobility-ast-engine", "fingerprint": "fe762eef51e0a0588aba1336aee4b7384bf1167f0bea3135f0bd013c747cb242", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe762eef51e0a0588aba1336aee4b7384bf1167f0bea3135f0bd013c747cb242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_slice_cache.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_special_tokens_injection: Test function `test_special_tokens_injection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128157, "scanner": "repobility-ast-engine", "fingerprint": "40bb71f86010117106bb3374e060d1de79d2d5c9a4a4368ebef1a26f10e4b9ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40bb71f86010117106bb3374e060d1de79d2d5c9a4a4368ebef1a26f10e4b9ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_marin_tokenizer.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_marin_tokenizer_integration_checks: Test function `test_marin_tokenizer_integration_checks` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128155, "scanner": "repobility-ast-engine", "fingerprint": "e47a8b07d3f8ebb1694d796efece0e6acb8e45e403c0a64cbf57d03dd6929373", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e47a8b07d3f8ebb1694d796efece0e6acb8e45e403c0a64cbf57d03dd6929373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_marin_chat_template.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_restore_raises_when_required_and_no_checkpoint_loads: Test function `test_restore_raises_when_required_and_no_checkpoint_loads` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128151, "scanner": "repobility-ast-engine", "fingerprint": "9f922dc6bcc5195219855d8f9bcb9e35767852f2ce0e28697b452e4312e6832d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f922dc6bcc5195219855d8f9bcb9e35767852f2ce0e28697b452e4312e6832d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_grug_checkpointing.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_markdownify_stackexchange: Test function `test_markdownify_stackexchange` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128150, "scanner": "repobility-ast-engine", "fingerprint": "43ead37c62c6ae34ddc6597b73ef268a6ef8b45bd56bef80b4006920e10d303e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43ead37c62c6ae34ddc6597b73ef268a6ef8b45bd56bef80b4006920e10d303e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_snapshot.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_markdownify_ar5iv: Test function `test_markdownify_ar5iv` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128149, "scanner": "repobility-ast-engine", "fingerprint": "3c92cfac519ec0ea3cf6f4851990cd209bfc548c532a5e240bf6338b46132c0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c92cfac519ec0ea3cf6f4851990cd209bfc548c532a5e240bf6338b46132c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_snapshot.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_markdownify_wikipedia: Test function `test_markdownify_wikipedia` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128148, "scanner": "repobility-ast-engine", "fingerprint": "7340d74af569830e4b64fa4fc5a383fd1b0a35c68394d7fd1893a498d8dc9017", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7340d74af569830e4b64fa4fc5a383fd1b0a35c68394d7fd1893a498d8dc9017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_snapshot.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_generate_markdown_from_html_with_resiliparse: Test function `test_generate_markdown_from_html_with_resiliparse` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128147, "scanner": "repobility-ast-engine", "fingerprint": "7c395e5a232fbb55f5878c6f36337e466b73e05efdb388b0f1ee2c735b1023f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c395e5a232fbb55f5878c6f36337e466b73e05efdb388b0f1ee2c735b1023f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_snapshot.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rebase_file_path_raises: Test function `test_rebase_file_path_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128144, "scanner": "repobility-ast-engine", "fingerprint": "024ad80bce7362bf1990ed43e2ec487b1e8aed8b3c88f0d463eb16faf13626f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|024ad80bce7362bf1990ed43e2ec487b1e8aed8b3c88f0d463eb16faf13626f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_utils.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pathlib_path_handling: Test function `test_pathlib_path_handling` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128143, "scanner": "repobility-ast-engine", "fingerprint": "544fdba7f70d0adcdb79514f70557562a432e00f1fd50e9214fe0ed85d00f17c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|544fdba7f70d0adcdb79514f70557562a432e00f1fd50e9214fe0ed85d00f17c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_training.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_dataclass_recursive_checking: Test function `test_dataclass_recursive_checking` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128142, "scanner": "repobility-ast-engine", "fingerprint": "3e4350d64f7a5a029582cff77dce2b0383a191157a5dfb1ea6eb85f8801c2abf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e4350d64f7a5a029582cff77dce2b0383a191157a5dfb1ea6eb85f8801c2abf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_training.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_recursive_path_checking: Test function `test_recursive_path_checking` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128141, "scanner": "repobility-ast-engine", "fingerprint": "50315a6ba6b07512d0a16bb957ea9d64c4fb86aac3b6f51476e65a9dc007199b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50315a6ba6b07512d0a16bb957ea9d64c4fb86aac3b6f51476e65a9dc007199b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_training.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_lm_config_with_train_urls_allowed_out_of_region: Test function `test_lm_config_with_train_urls_allowed_out_of_region` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128140, "scanner": "repobility-ast-engine", "fingerprint": "bf42acc5e29675a96deb77baf849d0b21106b432073f2ad2ab988b408f450e80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf42acc5e29675a96deb77baf849d0b21106b432073f2ad2ab988b408f450e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_training.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_tree_cache_get_batch_reads_sharded_rows: Test function `test_tree_cache_get_batch_reads_sharded_rows` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128139, "scanner": "repobility-ast-engine", "fingerprint": "650199614b985ac9e2bb5c9a95ff9f96bb0f51c50110da034253797871b2a147", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|650199614b985ac9e2bb5c9a95ff9f96bb0f51c50110da034253797871b2a147"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_greedy_prepacked_dataset_reads_sharded_cache: Test function `test_greedy_prepacked_dataset_reads_sharded_cache` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128138, "scanner": "repobility-ast-engine", "fingerprint": "402eeb4ebc8711de3c2b2eaad5dbc67dd22bf454e73aaf6ba32518a1f38a66cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|402eeb4ebc8711de3c2b2eaad5dbc67dd22bf454e73aaf6ba32518a1f38a66cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sharded_cache_rejects_total_row_mismatch: Test function `test_sharded_cache_rejects_total_row_mismatch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128137, "scanner": "repobility-ast-engine", "fingerprint": "67ffa10b091620285051329bc08ac132b2d17090b05245ddfd476221e1566e34", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67ffa10b091620285051329bc08ac132b2d17090b05245ddfd476221e1566e34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sharded_cache_rejects_absolute_shard_paths: Test function `test_sharded_cache_rejects_absolute_shard_paths` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128136, "scanner": "repobility-ast-engine", "fingerprint": "480fdb1f564ce67b0e597d6c434b5902fbec156388edbc8faf2317282c2c5a2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|480fdb1f564ce67b0e597d6c434b5902fbec156388edbc8faf2317282c2c5a2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sharded_cache_requires_row_counts_for_finished_shards: Test function `test_sharded_cache_requires_row_counts_for_finished_shards` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128135, "scanner": "repobility-ast-engine", "fingerprint": "091317b47c010b9bc9d014a91077f12499f2357287b0a657464974345ee7adab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|091317b47c010b9bc9d014a91077f12499f2357287b0a657464974345ee7adab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sharded_cache_rejects_duplicate_shards: Test function `test_sharded_cache_rejects_duplicate_shards` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128134, "scanner": "repobility-ast-engine", "fingerprint": "9d5a4e97036463034839a0dc73e26de4dda203fddb97e73251db4d9d286a532d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d5a4e97036463034839a0dc73e26de4dda203fddb97e73251db4d9d286a532d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_consolidate_external_shards_rejected: Test function `test_consolidate_external_shards_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128133, "scanner": "repobility-ast-engine", "fingerprint": "5f2855b796bff92bfd2a81d45975f79171bfd66454b4039fb9af70ddb266a0ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f2855b796bff92bfd2a81d45975f79171bfd66454b4039fb9af70ddb266a0ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_consolidate_metadata.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._prev` used but never assigned in __init__: Method `__exit__` of class `_reset_abstract_mesh` reads `self._prev`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128132, "scanner": "repobility-ast-engine", "fingerprint": "8cc537f9b4baf8be02eaabb2575fbf0ed16f1962a1e89aec813831853c563d2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8cc537f9b4baf8be02eaabb2575fbf0ed16f1962a1e89aec813831853c563d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_grug_variant_contracts.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._prev` used but never assigned in __init__: Method `__enter__` of class `_reset_abstract_mesh` reads `self._prev`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128131, "scanner": "repobility-ast-engine", "fingerprint": "decc75fc431acd28f318a9fb5f4f6973fbdbc71252311290b970b64a426620df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|decc75fc431acd28f318a9fb5f4f6973fbdbc71252311290b970b64a426620df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_grug_variant_contracts.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_data_region_empty_components: Test function `test_validate_data_region_empty_components` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128130, "scanner": "repobility-ast-engine", "fingerprint": "3258d8b13a9f17f0c4bf401b461f0958405ea2acf2390668fdabfd3ac28af1a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3258d8b13a9f17f0c4bf401b461f0958405ea2acf2390668fdabfd3ac28af1a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_inspect_data_region.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_data_region_non_gcs_skipped: Test function `test_validate_data_region_non_gcs_skipped` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128129, "scanner": "repobility-ast-engine", "fingerprint": "c4a0f1516463b883b8ff031f9b4996559cdaabee9b9608ff8184f803229eddc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4a0f1516463b883b8ff031f9b4996559cdaabee9b9608ff8184f803229eddc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_inspect_data_region.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_data_region_mismatch: Test function `test_validate_data_region_mismatch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128128, "scanner": "repobility-ast-engine", "fingerprint": "a8d0dc97aadd627003205f872d10e48fc66d6eaf42250eb298269f2f09d354c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a8d0dc97aadd627003205f872d10e48fc66d6eaf42250eb298269f2f09d354c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_inspect_data_region.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_data_region_same_region: Test function `test_validate_data_region_same_region` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128127, "scanner": "repobility-ast-engine", "fingerprint": "c5ee6feb37b1372abbb18c1edd7ecc5fb532470990d6ef4ee912519041f01009", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5ee6feb37b1372abbb18c1edd7ecc5fb532470990d6ef4ee912519041f01009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_inspect_data_region.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_list_variants_at_ref_raises_on_git_error: Test function `test_list_variants_at_ref_raises_on_git_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128126, "scanner": "repobility-ast-engine", "fingerprint": "530fe5a488f2ca2a414a48cde8e5f9c918dcae8d437b8ca56c476785a89eb6e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|530fe5a488f2ca2a414a48cde8e5f9c918dcae8d437b8ca56c476785a89eb6e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_grug_variant_diff_ci.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 128091, "scanner": "repobility-docker", "fingerprint": "bb92977380c0076a92f07bf87ebecfe65f55e1ccaef81144769537d6fb8beee4", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bb92977380c0076a92f07bf87ebecfe65f55e1ccaef81144769537d6fb8beee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 177}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 128090, "scanner": "repobility-docker", "fingerprint": "6e01ee3fcf92ae017d1331ba887047666834ed5a45acb83c76eb1dddb99b283b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6e01ee3fcf92ae017d1331ba887047666834ed5a45acb83c76eb1dddb99b283b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/Dockerfile"}, "region": {"startLine": 161}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 128077, "scanner": "repobility-docker", "fingerprint": "ae9f42cd25dbc62f4f40e7e48a74a496157894e3380f84aa06b65019f0ea7bb3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ae9f42cd25dbc62f4f40e7e48a74a496157894e3380f84aa06b65019f0ea7bb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.tpu-ci"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 128076, "scanner": "repobility-docker", "fingerprint": "645300af7febd03234fbf9344ff6815fe1fc580849f7adb213aacfb98fc137c8", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|645300af7febd03234fbf9344ff6815fe1fc580849f7adb213aacfb98fc137c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/marin/Dockerfile.tpu-ci"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 128041, "scanner": "repobility-threat-engine", "fingerprint": "2f8f375dda61fc41f7860dc20baa6307ed73605819e8b331e3da070d0af1302c", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"^(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|61|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/training/get_files_on_gcs.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 128040, "scanner": "repobility-threat-engine", "fingerprint": "7d1873af9d86ccf115548acc7e540830f97e02e627b3dae8c827477fe5cfec3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d1873af9d86ccf115548acc7e540830f97e02e627b3dae8c827477fe5cfec3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/speedrun/onboarding_setup.sh"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 128037, "scanner": "repobility-threat-engine", "fingerprint": "16e3f4475b5ebf8b2ccdc3a392d746285d44a0b360d3bb4573fc14b4d80e4114", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16e3f4475b5ebf8b2ccdc3a392d746285d44a0b360d3bb4573fc14b4d80e4114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pm/gh_issues_from_markdown.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 128035, "scanner": "repobility-threat-engine", "fingerprint": "58fa16b1c53282fa50da3aa709b88e116ad76674d84f25d09a4a6bb2cd6226d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58fa16b1c53282fa50da3aa709b88e116ad76674d84f25d09a4a6bb2cd6226d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/debug/decode_tokens.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 128034, "scanner": "repobility-threat-engine", "fingerprint": "c3859546a43a1e6a23805192c772ff3039c069132c4b404768da870994fc992e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3859546a43a1e6a23805192c772ff3039c069132c4b404768da870994fc992e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/datakit/validate_source_staging.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 128033, "scanner": "repobility-threat-engine", "fingerprint": "1429290f9520ad7824e178e5ca453dd4382273955daaddc65da16caf647719ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1429290f9520ad7824e178e5ca453dd4382273955daaddc65da16caf647719ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/datakit/validate_ferry_outputs.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128026, "scanner": "repobility-threat-engine", "fingerprint": "9e32af7b3ae7a3bb3276d65fb4a0d87209e934518596b320b23271f1bb31f337", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e32af7b3ae7a3bb3276d65fb4a0d87209e934518596b320b23271f1bb31f337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/src/query/provider.rs"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128025, "scanner": "repobility-threat-engine", "fingerprint": "f5279c240586f4d220cd83c4e9c65b652d72b22f9a37bc979badc696c80ae508", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5279c240586f4d220cd83c4e9c65b652d72b22f9a37bc979badc696c80ae508"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/finelog/build.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128024, "scanner": "repobility-threat-engine", "fingerprint": "33c77e126d47a515549f91dc917813136a1e47241de74971086b3cec23747f6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33c77e126d47a515549f91dc917813136a1e47241de74971086b3cec23747f6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/dupekit/src/ops.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 128020, "scanner": "repobility-threat-engine", "fingerprint": "224cddd66ad6a2c4ac618dca9678ff490775641dfd171348d422aaed1cd27d73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|224cddd66ad6a2c4ac618dca9678ff490775641dfd171348d422aaed1cd27d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/tutorials/hello_world.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 128019, "scanner": "repobility-threat-engine", "fingerprint": "7d7c917e21d5589abd9bba0bc67ee0395465e6b1ff9a69f5b7a6e3cf8a3c98bb", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(config.input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|53|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/tutorials/hello_world.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 128018, "scanner": "repobility-threat-engine", "fingerprint": "ae117bd96a598a3d9a033e137090838fbdc38f5cf8428ae70a4b5a9364355716", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(config.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|53|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/tutorials/hello_world.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 128010, "scanner": "repobility-threat-engine", "fingerprint": "5ba006f81bb64edacb5acf2ecaeaf2e42d17e3dc2076e6a3f6a160ad70fc0b30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ba006f81bb64edacb5acf2ecaeaf2e42d17e3dc2076e6a3f6a160ad70fc0b30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/codehealth/log_stats.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 128009, "scanner": "repobility-threat-engine", "fingerprint": "d2019cbdcb505388939a71477bfe09823d4feb27b780283f5d8839d11f1b35f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2019cbdcb505388939a71477bfe09823d4feb27b780283f5d8839d11f1b35f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/tracer.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 128008, "scanner": "repobility-threat-engine", "fingerprint": "91a0cac1c729a7a3a3cb77750d5524161012d1604718cc8698fda2b060386f71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91a0cac1c729a7a3a3cb77750d5524161012d1604718cc8698fda2b060386f71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/swe_rebench_trace/proxy.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 128007, "scanner": "repobility-threat-engine", "fingerprint": "7a0ad3ce79f8293a1d88597e299d33290474e1af52d3425a61829447b1eb0ca9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a0ad3ce79f8293a1d88597e299d33290474e1af52d3425a61829447b1eb0ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/posttrain/preference_datasets.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128001, "scanner": "repobility-threat-engine", "fingerprint": "02438fdfdaf00a7f1f44fba333782a9afb12fc1a456f9d313feafc043f44d1ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "counts.update(top_labels)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02438fdfdaf00a7f1f44fba333782a9afb12fc1a456f9d313feafc043f44d1ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/weborganizer/aggregate_labels.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128000, "scanner": "repobility-threat-engine", "fingerprint": "95f7e588b1ccf988b728a368ad543f1ab0a581132c61370684d521d75af73760", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "np.save(local, arr)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95f7e588b1ccf988b728a368ad543f1ab0a581132c61370684d521d75af73760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/train.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127999, "scanner": "repobility-threat-engine", "fingerprint": "fc01b2547c983d2762d62bbd057f46ba2a5f4caae0ea17de8e883a5d98f2a8de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Artifact.save(artifact, output_path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc01b2547c983d2762d62bbd057f46ba2a5f4caae0ea17de8e883a5d98f2a8de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/assign.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127997, "scanner": "repobility-threat-engine", "fingerprint": "2dabcb641909b627f5521e0f5c46d49ab74553ca3ae39b5dff33eefd89a23721", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2dabcb641909b627f5521e0f5c46d49ab74553ca3ae39b5dff33eefd89a23721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/train.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127996, "scanner": "repobility-threat-engine", "fingerprint": "feaca066af3fa6f29a672d0687f5344eaff18f315ea0a9bdc237d69ee4107fd1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|feaca066af3fa6f29a672d0687f5344eaff18f315ea0a9bdc237d69ee4107fd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/ops/coherence_eval.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127995, "scanner": "repobility-threat-engine", "fingerprint": "0cf340b1f07347ebe986f3506c4d856badd93d62555ed8ea6911d80954d0004b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0cf340b1f07347ebe986f3506c4d856badd93d62555ed8ea6911d80954d0004b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/datakit/cluster/domain/v0/assign.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127986, "scanner": "repobility-threat-engine", "fingerprint": "3a0e297b286f43b136234c2e7fb45d61cbd9b839eba990d8ca665aa4d8d7cb34", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"Total params: {token_embedding + transformer + lm_head}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|5|print f total params: token_embedding + transformer + lm_head"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/training/scaling_law/calc_model_stats.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127985, "scanner": "repobility-threat-engine", "fingerprint": "76985431789263768c30cea3b117d12db1730cd09415d98f92728bc4d9c9af4c", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"{token} \", end=\"\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|print f token end"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/debug/decode_tokens.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127984, "scanner": "repobility-threat-engine", "fingerprint": "6d852d6fb505455dafca0bd9dc98ecfc9de17ebfd71e65d91f7e39f00da4f21e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"Expected tokens: {expected_tokens}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|25|print f expected tokens: expected_tokens"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experiments/exp_simple_rl.py"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127979, "scanner": "repobility-threat-engine", "fingerprint": "4dacf82fd7b27783c668442ec91ee4577eb512e881c2d22ad2ced372e3b7e096", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n    (version) => `\n    <li class=\"md-version__item\">\n      <a href=\"${ version.urls.documentati", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4dacf82fd7b27783c668442ec91ee4577eb512e881c2d22ad2ced372e3b7e096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/javascript/readthedocs.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WANDB_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WANDB_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128298, "scanner": "repobility-supply-chain", "fingerprint": "ba687ad57ba1605a671d8e485997c27319ce838dcc8538d559425ab2c07479d2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba687ad57ba1605a671d8e485997c27319ce838dcc8538d559425ab2c07479d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/levanter-unit.yaml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128297, "scanner": "repobility-supply-chain", "fingerprint": "e655e104c6997b38ab495b2be36ae2619de592ccfeb9dd0db2a6132ba2a211bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e655e104c6997b38ab495b2be36ae2619de592ccfeb9dd0db2a6132ba2a211bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/levanter-unit.yaml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128296, "scanner": "repobility-supply-chain", "fingerprint": "7183c0ec6a853c5b0ce230c767e65201b5c70a9100867cbf5b7234981d6cf77f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7183c0ec6a853c5b0ce230c767e65201b5c70a9100867cbf5b7234981d6cf77f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128295, "scanner": "repobility-supply-chain", "fingerprint": "18c581d256af20f8ec871bb11dd7cf94b5949e4a4f0495a47ded0222a6c325e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18c581d256af20f8ec871bb11dd7cf94b5949e4a4f0495a47ded0222a6c325e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128294, "scanner": "repobility-supply-chain", "fingerprint": "6b3cebf4c701b277b5a7fdb4cbec472e0394885e8a6b20700e78837e346f81ae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b3cebf4c701b277b5a7fdb4cbec472e0394885e8a6b20700e78837e346f81ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128293, "scanner": "repobility-supply-chain", "fingerprint": "02b44eb115e62a0c1279a048bdc2d9dc5ae313a4f7f19d6e189a5531f24eafba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02b44eb115e62a0c1279a048bdc2d9dc5ae313a4f7f19d6e189a5531f24eafba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128292, "scanner": "repobility-supply-chain", "fingerprint": "e0889404ce14df188c9c0bcbceee221a1886add9eea00d365b236b70f5ad9f7b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0889404ce14df188c9c0bcbceee221a1886add9eea00d365b236b70f5ad9f7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128291, "scanner": "repobility-supply-chain", "fingerprint": "4b85e1c3f00d257bc62ae16343cd99f2d106aefb8e8775198267540d852e00dd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b85e1c3f00d257bc62ae16343cd99f2d106aefb8e8775198267540d852e00dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CW_KUBECONFIG` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CW_KUBECONFIG }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128290, "scanner": "repobility-supply-chain", "fingerprint": "b76f890f80be98accec87a4e3208bebfef3d20be55d6b18ffbd1e86db8fa8abb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b76f890f80be98accec87a4e3208bebfef3d20be55d6b18ffbd1e86db8fa8abb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-coreweave.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128289, "scanner": "repobility-supply-chain", "fingerprint": "b878e80d499d74964ceb352e4d0593aa01355ec5869344377431472b8213537b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b878e80d499d74964ceb352e4d0593aa01355ec5869344377431472b8213537b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128288, "scanner": "repobility-supply-chain", "fingerprint": "052ba322e83bba54cfd4993bc46c1825c145d60f4e9273982a61052044d06a0d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|052ba322e83bba54cfd4993bc46c1825c145d60f4e9273982a61052044d06a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.IRIS_CI_GCP_SA_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.IRIS_CI_GCP_SA_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128287, "scanner": "repobility-supply-chain", "fingerprint": "bfdb4254cc236defdfb823d1c4f2ba77dc9cc6b68eced8aafd951cc2292ce79a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfdb4254cc236defdfb823d1c4f2ba77dc9cc6b68eced8aafd951cc2292ce79a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128286, "scanner": "repobility-supply-chain", "fingerprint": "62e6b1de4de91a2de272881c022d04df0bc85f1938daad7d346a6ab7428521e6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62e6b1de4de91a2de272881c022d04df0bc85f1938daad7d346a6ab7428521e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128285, "scanner": "repobility-supply-chain", "fingerprint": "62c28dfa02e421102997d2b55d811e81759cf8f4515a4a9c5858ade2cba4d906", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62c28dfa02e421102997d2b55d811e81759cf8f4515a4a9c5858ade2cba4d906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.IRIS_CI_GCP_SA_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.IRIS_CI_GCP_SA_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128284, "scanner": "repobility-supply-chain", "fingerprint": "6168be6c98da2153e71eeb2f8d9d205e413f21f97527bfd0d8963522690a093d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6168be6c98da2153e71eeb2f8d9d205e413f21f97527bfd0d8963522690a093d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-smoke-gcp.yaml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128283, "scanner": "repobility-supply-chain", "fingerprint": "4fd92f99ba28a3ab12b5bd611cd6d37faef1ee820e8a492eefe0598068e0536a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fd92f99ba28a3ab12b5bd611cd6d37faef1ee820e8a492eefe0598068e0536a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-integration.yaml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128282, "scanner": "repobility-supply-chain", "fingerprint": "26cc7987fecc4676b2ff0d6cda112cee416cc5d7669696feb7f3f87fb5673ced", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26cc7987fecc4676b2ff0d6cda112cee416cc5d7669696feb7f3f87fb5673ced"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-infra-dashboard.yaml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MARIN_CD_CLOUD_RUN_SA_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MARIN_CD_CLOUD_RUN_SA_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128281, "scanner": "repobility-supply-chain", "fingerprint": "b53b3a5d28931df410ed6752e5bd434b0e310fd0bea036abd69259e9ac62d96a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b53b3a5d28931df410ed6752e5bd434b0e310fd0bea036abd69259e9ac62d96a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-infra-dashboard.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128280, "scanner": "repobility-supply-chain", "fingerprint": "9fa476407e9b7cbfa9d34f576e10b7c72a2682b1509c8bf8046ab19ca3a7cc3e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fa476407e9b7cbfa9d34f576e10b7c72a2682b1509c8bf8046ab19ca3a7cc3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ops-claude-review.yaml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128279, "scanner": "repobility-supply-chain", "fingerprint": "b46f0002f66705f487699ad17f4885427ea8879f0d17260690a28607d521be50", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b46f0002f66705f487699ad17f4885427ea8879f0d17260690a28607d521be50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-unit.yaml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GCP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GCP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128278, "scanner": "repobility-supply-chain", "fingerprint": "75afebd14ba3ed0285988ab1482a7df5e355067a5311c82ede67a9c8e61a77e3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75afebd14ba3ed0285988ab1482a7df5e355067a5311c82ede67a9c8e61a77e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-release-iap-proxy.yaml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MARIN_CD_CLOUD_RUN_SA_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MARIN_CD_CLOUD_RUN_SA_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128277, "scanner": "repobility-supply-chain", "fingerprint": "84eb4c53777cf3d572585f21edb1195abc00471d5046abd20398708e13fe5335", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84eb4c53777cf3d572585f21edb1195abc00471d5046abd20398708e13fe5335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/iris-release-iap-proxy.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128276, "scanner": "repobility-supply-chain", "fingerprint": "71f80857ccc77cae0186160018739faeba49dff7e24d80e77c93c689dd07991c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71f80857ccc77cae0186160018739faeba49dff7e24d80e77c93c689dd07991c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marin-unit.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128211, "scanner": "repobility-ast-engine", "fingerprint": "11eb7e0779d5b8891d41ad300104771366a17fb2cbb88b0d7ce973858a10f271", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11eb7e0779d5b8891d41ad300104771366a17fb2cbb88b0d7ce973858a10f271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/src/iris/cluster/worker/env_probe.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128210, "scanner": "repobility-ast-engine", "fingerprint": "c01070719abd0600bf80b95ec88794d8204f1cd7cadb75d9b94d5a72b81ebb80", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c01070719abd0600bf80b95ec88794d8204f1cd7cadb75d9b94d5a72b81ebb80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/src/iris/cluster/providers/vm_lifecycle.py"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128209, "scanner": "repobility-ast-engine", "fingerprint": "4338cb82880af76d4bc04b678acd86d988e46f55cc5ecd83c8e316f85589faf9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4338cb82880af76d4bc04b678acd86d988e46f55cc5ecd83c8e316f85589faf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/src/iris/cluster/runtime/docker.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `inspect` used but not imported: The file uses `inspect.something(...)` but never imports `inspect`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128208, "scanner": "repobility-ast-engine", "fingerprint": "8c8229def01fb10ba64c7e92d71139961272e7b1b730b96f5d85c0e83a801e5d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c8229def01fb10ba64c7e92d71139961272e7b1b730b96f5d85c0e83a801e5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/src/iris/cluster/runtime/docker.py"}, "region": {"startLine": 853}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128207, "scanner": "repobility-ast-engine", "fingerprint": "e3f06b6bcc699eaa4803e38485ae1a1b21a47790003f6542d919b7d986792ffd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3f06b6bcc699eaa4803e38485ae1a1b21a47790003f6542d919b7d986792ffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/src/iris/cluster/config.py"}, "region": {"startLine": 609}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128206, "scanner": "repobility-ast-engine", "fingerprint": "aa58857279e494ba1136187ee405522c53afd232b23c9edb67c35b5a27c1062d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa58857279e494ba1136187ee405522c53afd232b23c9edb67c35b5a27c1062d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/providers/gcp/test_vm_lifecycle.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128205, "scanner": "repobility-ast-engine", "fingerprint": "71e6c85a72b74172aa20767ca88e5ce0a327d207ece4e1bc70bf5bd48eab35db", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71e6c85a72b74172aa20767ca88e5ce0a327d207ece4e1bc70bf5bd48eab35db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/providers/gcp/test_platform.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128204, "scanner": "repobility-ast-engine", "fingerprint": "e3303c064092e7de54895de19ef67d76749b17f545ed988e2c76871f094ca3ae", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3303c064092e7de54895de19ef67d76749b17f545ed988e2c76871f094ca3ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/controller/test_vm_lifecycle.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128203, "scanner": "repobility-ast-engine", "fingerprint": "72b4ae648ae79d84f04cf23c821526d5cf0dd2aa3914f3668ee24d94f6eb91ff", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72b4ae648ae79d84f04cf23c821526d5cf0dd2aa3914f3668ee24d94f6eb91ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/controller/test_autoscaler.py"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128202, "scanner": "repobility-ast-engine", "fingerprint": "29a5e7149ff3ddd0210ba0b15c20e733c9abd991abc43a3b96d449eaf4faa238", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29a5e7149ff3ddd0210ba0b15c20e733c9abd991abc43a3b96d449eaf4faa238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/worker/test_worker.py"}, "region": {"startLine": 867}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128201, "scanner": "repobility-ast-engine", "fingerprint": "5e980bf48a0074ec99599ee40b591a9f136c31e3d4e7b48e5189f3360a7b9397", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e980bf48a0074ec99599ee40b591a9f136c31e3d4e7b48e5189f3360a7b9397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/worker/test_stats.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128200, "scanner": "repobility-ast-engine", "fingerprint": "486a7f1f1f5f5f80ef97211303d8322dc132a02831dd9a9c30e7be666f2b0ebc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|486a7f1f1f5f5f80ef97211303d8322dc132a02831dd9a9c30e7be666f2b0ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/providers/test_scaling_group.py"}, "region": {"startLine": 792}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128199, "scanner": "repobility-ast-engine", "fingerprint": "ce1de82b59bbf17a169ba3fea7a6be618162901b86c84b5678fa89076f8864bf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce1de82b59bbf17a169ba3fea7a6be618162901b86c84b5678fa89076f8864bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/iris/tests/cluster/providers/conftest.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128198, "scanner": "repobility-ast-engine", "fingerprint": "6ca2cb0f560ac1c0378e912ecc461fec4bb88bc6bf33bfea39248773b409a582", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ca2cb0f560ac1c0378e912ecc461fec4bb88bc6bf33bfea39248773b409a582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/src/finelog/deploy/_gcp.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `re` used but not imported: The file uses `re.something(...)` but never imports `re`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128197, "scanner": "repobility-ast-engine", "fingerprint": "754282260a05d73984c1b57015d5b3b26628070df06bb5fdadde30600984e3ef", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|754282260a05d73984c1b57015d5b3b26628070df06bb5fdadde30600984e3ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/finelog/tests/parity/test_metadata.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128196, "scanner": "repobility-ast-engine", "fingerprint": "20eb4d01ed4071fb80597b9f932e9a42e34c3feb76cfabb7c388c64d58726bec", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20eb4d01ed4071fb80597b9f932e9a42e34c3feb76cfabb7c388c64d58726bec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/_src/rearrange.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128195, "scanner": "repobility-ast-engine", "fingerprint": "392f9b4ca25befd5bdd6822b71b3c0e8c1a24f9fed4e5a7958d1db1c6dcb4d98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|392f9b4ca25befd5bdd6822b71b3c0e8c1a24f9fed4e5a7958d1db1c6dcb4d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/_src/parsing.py"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128194, "scanner": "repobility-ast-engine", "fingerprint": "ca32cac1c37fcd8b9f485d99f41af63580c62f13eb69c9f6c8afb60aae91ded1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca32cac1c37fcd8b9f485d99f41af63580c62f13eb69c9f6c8afb60aae91ded1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/_src/einsum.py"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128193, "scanner": "repobility-ast-engine", "fingerprint": "06b863c45adefb66ea6663dd08a314e694f880e15064a8310828ec4c54d3dafc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06b863c45adefb66ea6663dd08a314e694f880e15064a8310828ec4c54d3dafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/_src/state_dict.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128192, "scanner": "repobility-ast-engine", "fingerprint": "ac000feec1fec9eeea4761559e7b94b62ac5285347fb5398a86c11179c16bffd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac000feec1fec9eeea4761559e7b94b62ac5285347fb5398a86c11179c16bffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/core.py"}, "region": {"startLine": 917}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128191, "scanner": "repobility-ast-engine", "fingerprint": "f56d2fbd3499f4ee5326dcd91736b093c81df3de3fa78496a1807d3d20864538", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f56d2fbd3499f4ee5326dcd91736b093c81df3de3fa78496a1807d3d20864538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/hof.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128190, "scanner": "repobility-ast-engine", "fingerprint": "280b5d290bff1017b4c86fe2224d52704df62909b3dbc40b4766f1bfd40701eb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|280b5d290bff1017b4c86fe2224d52704df62909b3dbc40b4766f1bfd40701eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/src/haliax/ops.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128189, "scanner": "repobility-ast-engine", "fingerprint": "e79c359a6a971c77c9a047416879fb207d851050ecde7beb80cda7d388417429", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e79c359a6a971c77c9a047416879fb207d851050ecde7beb80cda7d388417429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/haliax/tests/test_named_ref.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128186, "scanner": "repobility-ast-engine", "fingerprint": "9673c595aa3d3940cd45c36e517c966922fae2a7919218aeb651efbea177e98e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9673c595aa3d3940cd45c36e517c966922fae2a7919218aeb651efbea177e98e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/profiling/test_profile_summary.py"}, "region": {"startLine": 923}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128163, "scanner": "repobility-ast-engine", "fingerprint": "f9ac957cb27d2bc3aa5cf37f04b9eb4f13e77ffe7ee2b6a35a147f5d2995d830", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9ac957cb27d2bc3aa5cf37f04b9eb4f13e77ffe7ee2b6a35a147f5d2995d830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/rl/test_replay_buffer.py"}, "region": {"startLine": 94}}}]}]}]}