{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED022] C Strcpy (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.18.0`", "shortDescription": {"text": "Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.18.0`"}, "fullDescription": {"text": "`uses: bazel-contrib/setup-bazel@0.18.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.GOOGLE_CREDENTIALS` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.GOOGLE_CREDENTIALS` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GOOGLE_CREDENTIALS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1318"}, "properties": {"repository": "google/ink", "repoUrl": "https://github.com/google/ink", "branch": "main"}, "results": [{"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 134487, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e47f042a7d8417c07850058d6996a14b5f00eca0f20e846a6487a9c2b36bed4f", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|e47f042a7d8417c07850058d6996a14b5f00eca0f20e846a6487a9c2b36bed4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/strokes/internal/stroke_shape_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 134486, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a2e8e4cc7e4dfecdc40d7ae35c08fe2e79425f3c639a517955a898b143c4f5c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6a2e8e4cc7e4dfecdc40d7ae35c08fe2e79425f3c639a517955a898b143c4f5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/strokes/internal/stroke_shape_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 134498, "scanner": "repobility-threat-engine", "fingerprint": "90c67a18124d7f5cc18e76dfe7eca04bcc77ac250587d6d1963de4a5eea3cee6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90c67a18124d7f5cc18e76dfe7eca04bcc77ac250587d6d1963de4a5eea3cee6", "aggregated_count": 6}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 134497, "scanner": "repobility-threat-engine", "fingerprint": "f37f5156310318d65acf3e200db5abcf1cbeff784d5dc0ed6e6e71689cb2f2fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f37f5156310318d65acf3e200db5abcf1cbeff784d5dc0ed6e6e71689cb2f2fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/geometry/internal/jni/mesh_native_helper.h"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 134496, "scanner": "repobility-threat-engine", "fingerprint": "9ac4cf58330bb916e67cb84a60728a2d0b2052ab437daf57c38ae0dbc637059b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ac4cf58330bb916e67cb84a60728a2d0b2052ab437daf57c38ae0dbc637059b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/geometry/internal/jni/mesh_format_native_helper.h"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 134495, "scanner": "repobility-threat-engine", "fingerprint": "1e13f72572616dc103e9352ba1ba595c3f96104bdae6d2c023207ac30b4abca4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e13f72572616dc103e9352ba1ba595c3f96104bdae6d2c023207ac30b4abca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/brush/internal/jni/brush_native_helper.h"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED022", "level": "none", "message": {"text": "[MINED022] C Strcpy (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 134494, "scanner": "repobility-threat-engine", "fingerprint": "c8fae6b6648b7323150ee0a8c0f4c724231d6f275f27e542ff275ee5a7654f90", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c8fae6b6648b7323150ee0a8c0f4c724231d6f275f27e542ff275ee5a7654f90", "aggregated_count": 40}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.18.0`"}, "properties": {"repobilityId": 134489, "scanner": "repobility-supply-chain", "fingerprint": "1c5ae6ddb96f296fc51b97725aa6bca210d9fa3adea64d292dc9d75d600a928b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c5ae6ddb96f296fc51b97725aa6bca210d9fa3adea64d292dc9d75d600a928b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel-test.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 134488, "scanner": "repobility-supply-chain", "fingerprint": "a3b791aabb8de2ec8e243701a60474eb4099b04fa9f88833670399e67869be27", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3b791aabb8de2ec8e243701a60474eb4099b04fa9f88833670399e67869be27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel-test.yaml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 134493, "scanner": "repobility-threat-engine", "fingerprint": "9de8a7c97261f256ad6a1a371c436f7df2197cf0b75f883f41dc7f10b237780f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9de8a7c97261f256ad6a1a371c436f7df2197cf0b75f883f41dc7f10b237780f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/brush/brush_coat_test.cc"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 134492, "scanner": "repobility-threat-engine", "fingerprint": "4b531b34878d041a9209c38243ca12d63f72303b6cef04299933c35785082b34", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b531b34878d041a9209c38243ca12d63f72303b6cef04299933c35785082b34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/brush/brush_coat.cc"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 134491, "scanner": "repobility-threat-engine", "fingerprint": "0044a8d77fe965f069f45ac735510ac392a639f29424bc5e33f1a8f1c9bf5a87", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0044a8d77fe965f069f45ac735510ac392a639f29424bc5e33f1a8f1c9bf5a87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ink/brush/brush.cc"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GOOGLE_CREDENTIALS` on a `pull_request` trigger"}, "properties": {"repobilityId": 134490, "scanner": "repobility-supply-chain", "fingerprint": "2860511e457fd56c65319de5dbf42338b0a2581af8721af3fb4a1284774a59d3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2860511e457fd56c65319de5dbf42338b0a2581af8721af3fb4a1284774a59d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel-test.yaml"}, "region": {"startLine": 41}}}]}]}]}