{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 556 lines (recommend <300)", "shortDescription": {"text": "Average file size is 556 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/deploy-pages@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_req", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1090"}, "properties": {"repository": "tsz-org/tsz", "repoUrl": "https://github.com/tsz-org/tsz", "branch": "main"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 106800, "scanner": "repobility-agent-runtime", "fingerprint": "d4c8dc5e4f448892df4da5f610e2c47534515e1e48d5182e2c8d73fea948911d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d4c8dc5e4f448892df4da5f610e2c47534515e1e48d5182e2c8d73fea948911d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 53}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 106799, "scanner": "repobility-agent-runtime", "fingerprint": "fb13b776ae95fbac9f0e407f101dec7da348e6499d4a331916932a1954fe26fe", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fb13b776ae95fbac9f0e407f101dec7da348e6499d4a331916932a1954fe26fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 106786, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 556 lines (recommend <300)"}, "properties": {"repobilityId": 106778, "scanner": "repobility-core", "fingerprint": "ca0ca9b83830d53470f4f8372b23f645d3b1a7ac8a9d5a9832776ea2dfd202ec", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|ca0ca9b83830d53470f4f8372b23f645d3b1a7ac8a9d5a9832776ea2dfd202ec"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b10b874e12ea3c5c31e6d0d8f8d55970b504ae433923821af1e6b43b9578a111", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/error_reporter/assignability_keyof_alias_display.rs", "duplicate_line": 112, "correlation_key": "fp|b10b874e12ea3c5c31e6d0d8f8d55970b504ae433923821af1e6b43b9578a111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/error_reporter/core/diagnostic_source/type_query_alias.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18e55db98be03c4c2191a7978efb319196d750d0313f7e6a7a5aa51fc32621f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/declarations/import/verbatim.rs", "duplicate_line": 501, "correlation_key": "fp|18e55db98be03c4c2191a7978efb319196d750d0313f7e6a7a5aa51fc32621f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/declarations/module_checker/verbatim_module_syntax.rs"}, "region": {"startLine": 271}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ec0f4822afeb296cfe2a5912afccf7eba22e70fd0b404db377dcbcc34b7e1cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/declarations/dynamic_import_checker.rs", "duplicate_line": 305, "correlation_key": "fp|5ec0f4822afeb296cfe2a5912afccf7eba22e70fd0b404db377dcbcc34b7e1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/declarations/import/declaration_check_body.rs"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "825221489cc26aa144b20d8985a326b4e8c153af8cc1a91aefcced1f88a3a1fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/declarations/import/core/import_members_tests.rs", "duplicate_line": 42, "correlation_key": "fp|825221489cc26aa144b20d8985a326b4e8c153af8cc1a91aefcced1f88a3a1fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/declarations/import/declaration.rs"}, "region": {"startLine": 271}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16621eb55929e482d80e94c98b421c6fd2e9e6555df0a9fcce9e9d3bbd41823d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/classes/class_helpers.rs", "duplicate_line": 26, "correlation_key": "fp|16621eb55929e482d80e94c98b421c6fd2e9e6555df0a9fcce9e9d3bbd41823d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/classes/class_implements_helpers.rs"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8de1060e98943b85177aa0107f1e005b8cf20b9f25d9dd2c26710b9f054beb8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/optional_prop_display_tests.rs", "duplicate_line": 26, "correlation_key": "fp|8de1060e98943b85177aa0107f1e005b8cf20b9f25d9dd2c26710b9f054beb8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/target_display_tests.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b916f5a1a406fa277c239f8571e17a80f33b2b532e0ddd04fc8a9fcf57730dcd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/props/resolution.rs", "duplicate_line": 290, "correlation_key": "fp|b916f5a1a406fa277c239f8571e17a80f33b2b532e0ddd04fc8a9fcf57730dcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/props/union_props.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82737a919b5c26d7707bde588d26b9ff1a47bc2dc1b21444aba4313c4582b409", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/overloads.rs", "duplicate_line": 523, "correlation_key": "fp|82737a919b5c26d7707bde588d26b9ff1a47bc2dc1b21444aba4313c4582b409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/props/union_props.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5402caf5149fb4667f205552bdea62dd7c49fb312407be1fbfc30341f4e528ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/overloads.rs", "duplicate_line": 220, "correlation_key": "fp|5402caf5149fb4667f205552bdea62dd7c49fb312407be1fbfc30341f4e528ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/props/synthesized_display.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106789, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7557cd9d40bef97f40d60de7f7e4c076e2f988652619573174b94cd070bd17bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/props/attr_check_pipeline.rs", "duplicate_line": 604, "correlation_key": "fp|7557cd9d40bef97f40d60de7f7e4c076e2f988652619573174b94cd070bd17bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/props/resolution.rs"}, "region": {"startLine": 538}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "672ef4e0859309e9c45e7e0a141a77027c86e90b47fc6b7139bd9d2b3abdbe31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/jsx/overloads.rs", "duplicate_line": 221, "correlation_key": "fp|672ef4e0859309e9c45e7e0a141a77027c86e90b47fc6b7139bd9d2b3abdbe31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/jsx/props/resolution.rs"}, "region": {"startLine": 251}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106787, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7e366c25f8a9043cbfac10f373e5b1750b713d1408c6aff9a2ee93ade68620e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tsz-checker/src/checkers/generic_checker/infer_conditional_helpers.rs", "duplicate_line": 8, "correlation_key": "fp|f7e366c25f8a9043cbfac10f373e5b1750b713d1408c6aff9a2ee93ade68620e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tsz-checker/src/checkers/generic_checker/mapped_constraint_helpers.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 106785, "scanner": "repobility-threat-engine", "fingerprint": "ecd823c65e0ec2a6ebbd2af7926b3a287b6d62ebac6e2644973d17aa9a8a8b43", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ecd823c65e0ec2a6ebbd2af7926b3a287b6d62ebac6e2644973d17aa9a8a8b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/server_pool.rs"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 106783, "scanner": "repobility-threat-engine", "fingerprint": "808bbde64c7818b295f25feddf221ff7e317186ba16454e992af687bb2607151", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|808bbde64c7818b295f25feddf221ff7e317186ba16454e992af687bb2607151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/process_rss.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 106782, "scanner": "repobility-threat-engine", "fingerprint": "e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "aggregated_count": 9}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 106781, "scanner": "repobility-threat-engine", "fingerprint": "9a209f81cec63cbc9374dd2ea900b3fc147ea3686a80733b974eb5011f532249", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a209f81cec63cbc9374dd2ea900b3fc147ea3686a80733b974eb5011f532249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/server_pool.rs"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 106780, "scanner": "repobility-threat-engine", "fingerprint": "1bfc1c1c928d0669962e7fa82ad2ecb13f8f6a06d32684c81a7bce376f5c2e95", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bfc1c1c928d0669962e7fa82ad2ecb13f8f6a06d32684c81a7bce376f5c2e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/process_rss.rs"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 106779, "scanner": "repobility-threat-engine", "fingerprint": "750f63ebee3be053f4392ec4993afcbb79b7a08ae0f84c08df5d90252dc5b3c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|750f63ebee3be053f4392ec4993afcbb79b7a08ae0f84c08df5d90252dc5b3c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/cache.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106825, "scanner": "repobility-supply-chain", "fingerprint": "bb8191cc56d18d369e187e35a5203b8518cee7e1fd0e3a6138b248e9ba2a1a31", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb8191cc56d18d369e187e35a5203b8518cee7e1fd0e3a6138b248e9ba2a1a31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`: `uses: actions/upload-pages-artifact@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106824, "scanner": "repobility-supply-chain", "fingerprint": "6dfa9790bb7ac6aa3678dd2f99c2b0e7abc8fe84046347b7bfceff43bf3013e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dfa9790bb7ac6aa3678dd2f99c2b0e7abc8fe84046347b7bfceff43bf3013e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 400}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106823, "scanner": "repobility-supply-chain", "fingerprint": "39cfe54945dae17d12e256d06f09a326ba9f130790005eb46315f5ef86540b77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39cfe54945dae17d12e256d06f09a326ba9f130790005eb46315f5ef86540b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106822, "scanner": "repobility-supply-chain", "fingerprint": "48fcd30e4ac3898c72be3a18698643bb3c8c6ef9f8ef364fed4bd2a1aede0fa6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48fcd30e4ac3898c72be3a18698643bb3c8c6ef9f8ef364fed4bd2a1aede0fa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106821, "scanner": "repobility-supply-chain", "fingerprint": "0b7481c15d6f975cf278b6601fadca0e501454a752ab17c8b8102898c4bcf20f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b7481c15d6f975cf278b6601fadca0e501454a752ab17c8b8102898c4bcf20f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106820, "scanner": "repobility-supply-chain", "fingerprint": "ef6d4e7c16651d034f1aec11d64e2359ce8de3fd4b4fd95914c16e4ced69f9e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef6d4e7c16651d034f1aec11d64e2359ce8de3fd4b4fd95914c16e4ced69f9e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106819, "scanner": "repobility-supply-chain", "fingerprint": "bd12088b3bd8d9fd28f9dd55f029708017e92f2029dd51b5b5b9438055fdf23b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd12088b3bd8d9fd28f9dd55f029708017e92f2029dd51b5b5b9438055fdf23b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106818, "scanner": "repobility-supply-chain", "fingerprint": "45a1d0ef58f95453a823f6fe397ec38fa2a0e8ed3c30263cf575e58e8ea3d336", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45a1d0ef58f95453a823f6fe397ec38fa2a0e8ed3c30263cf575e58e8ea3d336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106817, "scanner": "repobility-supply-chain", "fingerprint": "7fd0ec256e9f16115999b3c8a1f013a3feb181868d8829416d037868bb7a9c93", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fd0ec256e9f16115999b3c8a1f013a3feb181868d8829416d037868bb7a9c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106816, "scanner": "repobility-supply-chain", "fingerprint": "b183efb8ef2b93ca54c92a95905e768e5dbc61b482ca8498120e15cb3ea6b527", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b183efb8ef2b93ca54c92a95905e768e5dbc61b482ca8498120e15cb3ea6b527"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106815, "scanner": "repobility-supply-chain", "fingerprint": "871a430dce918dba2ac3a4d0f9f5f6083f6e75ad92e09a8cfc46e807ec1f5390", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|871a430dce918dba2ac3a4d0f9f5f6083f6e75ad92e09a8cfc46e807ec1f5390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106814, "scanner": "repobility-supply-chain", "fingerprint": "4db6bb36de92e2321badc8a29dbd20e9f4fe4d5dc75582c72b659ab5a748b0fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4db6bb36de92e2321badc8a29dbd20e9f4fe4d5dc75582c72b659ab5a748b0fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106813, "scanner": "repobility-supply-chain", "fingerprint": "e1b7bde6a7c21aff02e9c7e6f4ab50360fa7be31f74c371cfc0c2377dd3300cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1b7bde6a7c21aff02e9c7e6f4ab50360fa7be31f74c371cfc0c2377dd3300cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-health.yml"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106812, "scanner": "repobility-supply-chain", "fingerprint": "aadedc03e445aa05f036188cc17c4505926fed360961628c0b802292c8f3a6aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aadedc03e445aa05f036188cc17c4505926fed360961628c0b802292c8f3a6aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-health.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106811, "scanner": "repobility-supply-chain", "fingerprint": "7875d245369cd2f370dc1c8fabbb70d7b0da54af7350cc4f1edb85e6e412d462", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7875d245369cd2f370dc1c8fabbb70d7b0da54af7350cc4f1edb85e6e412d462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-health.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106810, "scanner": "repobility-supply-chain", "fingerprint": "12e0a71a0b792a982cec00e6a8ae40b4fcfdf3b8d234bba4958b0738ff5363a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12e0a71a0b792a982cec00e6a8ae40b4fcfdf3b8d234bba4958b0738ff5363a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-health.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106809, "scanner": "repobility-supply-chain", "fingerprint": "2ad5c3558b0646a6e00be6fe99e344303246900f664c789931dc8bdeec5eaefb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ad5c3558b0646a6e00be6fe99e344303246900f664c789931dc8bdeec5eaefb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-green-prs.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106808, "scanner": "repobility-supply-chain", "fingerprint": "c51256561ea934136f8079b4673b240b9f6f03575e9457d8435e9fb9a9f61e0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c51256561ea934136f8079b4673b240b9f6f03575e9457d8435e9fb9a9f61e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106807, "scanner": "repobility-supply-chain", "fingerprint": "dc7cc701d858eb0588d48b0676b44cdebcdc4d4c627c6e75bfba4d657bf4c41d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc7cc701d858eb0588d48b0676b44cdebcdc4d4c627c6e75bfba4d657bf4c41d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106806, "scanner": "repobility-supply-chain", "fingerprint": "4d385fe9a5cfbcd9ba0afda985abcd78dab892d53a77a67a2c1ad8887e78584a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d385fe9a5cfbcd9ba0afda985abcd78dab892d53a77a67a2c1ad8887e78584a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106805, "scanner": "repobility-supply-chain", "fingerprint": "5fddb470520e754e0a1f7aa757b5f99d0188ab21ccf552996046d032b67bb340", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fddb470520e754e0a1f7aa757b5f99d0188ab21ccf552996046d032b67bb340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106804, "scanner": "repobility-supply-chain", "fingerprint": "cd3ca5c89e894c7f4a2374d8db06a8ad0261ceb49f2f172e98eb6c44086e4b1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd3ca5c89e894c7f4a2374d8db06a8ad0261ceb49f2f172e98eb6c44086e4b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106803, "scanner": "repobility-supply-chain", "fingerprint": "160bedb802f04aad92d539f6830801151a01f42829989a88b70605dca7526821", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|160bedb802f04aad92d539f6830801151a01f42829989a88b70605dca7526821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106802, "scanner": "repobility-supply-chain", "fingerprint": "181b25aeecf3d26a0657101ffbc706f91ed50d5da2b8d13b390b3abaf73104b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|181b25aeecf3d26a0657101ffbc706f91ed50d5da2b8d13b390b3abaf73104b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 106801, "scanner": "repobility-supply-chain", "fingerprint": "c66b49711f3e27827a494ce3f588fed57fb47ff02afd3a827ccf7f7457e2474e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c66b49711f3e27827a494ce3f588fed57fb47ff02afd3a827ccf7f7457e2474e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 106784, "scanner": "repobility-threat-engine", "fingerprint": "5e15426af56d838203c8722446e32b2c31835c061d24abfb1a9a7a624ebc75f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e15426af56d838203c8722446e32b2c31835c061d24abfb1a9a7a624ebc75f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/conformance/src/server_pool.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 106830, "scanner": "repobility-supply-chain", "fingerprint": "524a26928e7d9acce43e13675ae076bf0353bce85b419eaf268a298249277932", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|524a26928e7d9acce43e13675ae076bf0353bce85b419eaf268a298249277932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1007}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 106829, "scanner": "repobility-supply-chain", "fingerprint": "acc4ed35ad4c838db0c7df1839ce49c23c900506e25289fe340512cec42a2020", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acc4ed35ad4c838db0c7df1839ce49c23c900506e25289fe340512cec42a2020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 967}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 106828, "scanner": "repobility-supply-chain", "fingerprint": "64e4bdfce510fa2f4bda0af42d5c92354546f71ee33cd55b560115940860b2c3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64e4bdfce510fa2f4bda0af42d5c92354546f71ee33cd55b560115940860b2c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 842}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 106827, "scanner": "repobility-supply-chain", "fingerprint": "d5ff11080332615f5ef789f2d80ebee5f077264de517a6d1ed00c2e1d4737181", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5ff11080332615f5ef789f2d80ebee5f077264de517a6d1ed00c2e1d4737181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SCCACHE_GCS_KEY_JSON` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SCCACHE_GCS_KEY_JSON }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 106826, "scanner": "repobility-supply-chain", "fingerprint": "2bb9ff786578c2dc311ff703fa93660fd5183aca5d9bbf5c0c672b57d037e0a3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bb9ff786578c2dc311ff703fa93660fd5183aca5d9bbf5c0c672b57d037e0a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 601}}}]}]}]}