{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/341"}, "properties": {"repository": "awizemann/scarf", "repoUrl": "https://github.com/awizemann/scarf", "branch": "main"}, "results": [{"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10862, "scanner": "repobility-agent-runtime", "fingerprint": "1fd94f36032ba77fd4336a918f1ce0629ef506ff2d13a1999c443b7c48e51254", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|1fd94f36032ba77fd4336a918f1ce0629ef506ff2d13a1999c443b7c48e51254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/landing/app.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10861, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0961cb06f31e9a3b65df566464c0151fe840485be74302096b1511a76e61554", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/scarf/Features/Cron/Views/CronView.swift", "duplicate_line": 113, "correlation_key": "fp|c0961cb06f31e9a3b65df566464c0151fe840485be74302096b1511a76e61554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Features/Dashboard/Views/DashboardView.swift"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10860, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cf12cf78411b9478075c393e89804babe868f3cd6432101be41e68170e3040f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Scarf iOS/Curator/CuratorView.swift", "duplicate_line": 150, "correlation_key": "fp|8cf12cf78411b9478075c393e89804babe868f3cd6432101be41e68170e3040f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Features/Curator/Views/CuratorView.swift"}, "region": {"startLine": 149}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10859, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac9fc234456027d1828b290936e24d93abc6d3c18f10121f7fd9e6a6a48f4bba", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/scarf/Features/Curator/Views/CuratorArchivedSection.swift", "duplicate_line": 77, "correlation_key": "fp|ac9fc234456027d1828b290936e24d93abc6d3c18f10121f7fd9e6a6a48f4bba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Features/Curator/Views/CuratorPruneConfirmSheet.swift"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10858, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9880a74b9cf70623bfdcd12c617345ae469def0905346e3b4ce62a5ca85af70e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Scarf iOS/Dashboard/DashboardView.swift", "duplicate_line": 174, "correlation_key": "fp|9880a74b9cf70623bfdcd12c617345ae469def0905346e3b4ce62a5ca85af70e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Features/Cron/Views/CronView.swift"}, "region": {"startLine": 343}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcb8a3399aec6c725783fbe539dd344f33a11e53d97c1a31f038584d76c3ad6b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/scarf/Core/Services/NousAuthFlow.swift", "duplicate_line": 48, "correlation_key": "fp|dcb8a3399aec6c725783fbe539dd344f33a11e53d97c1a31f038584d76c3ad6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Features/CredentialPools/ViewModels/OAuthFlowController.swift"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceca8dbfedd81ac0b14b1723b3f087a62285264551b5704bf3c5077fa885f4c1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/scarf/Core/Services/ProjectTemplateExporter.swift", "duplicate_line": 230, "correlation_key": "fp|ceca8dbfedd81ac0b14b1723b3f087a62285264551b5704bf3c5077fa885f4c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Core/Services/ProjectTemplateService.swift"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8b408e786fecc8c12d5e9cde8efce6d7eab7043cb755be040732840a26b9417", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Packages/ScarfCore/Sources/ScarfCore/Services/NousModelCatalogService.swift", "duplicate_line": 101, "correlation_key": "fp|f8b408e786fecc8c12d5e9cde8efce6d7eab7043cb755be040732840a26b9417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Core/Services/CatalogService.swift"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10854, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1ea42b2386c1b86505df54fc9c05f964ed8fde4f0f469d2e38f96129394a942", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Scarf iOS/Plugins/PluginsView.swift", "duplicate_line": 7, "correlation_key": "fp|a1ea42b2386c1b86505df54fc9c05f964ed8fde4f0f469d2e38f96129394a942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Scarf iOS/Webhooks/WebhooksView.swift"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10853, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb5870303442c8af567ed7e6382f700b8eeff9a08c99391d4b11dd3c41b902eb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Scarf iOS/Chat/ProjectPickerSheet.swift", "duplicate_line": 62, "correlation_key": "fp|fb5870303442c8af567ed7e6382f700b8eeff9a08c99391d4b11dd3c41b902eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Scarf iOS/Projects/ProjectsListView.swift"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10852, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e6f87e633339e49c8d6f637084a82db870e683da92f4efbc4dd876b51304211", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Scarf iOS/Plugins/PluginsView.swift", "duplicate_line": 7, "correlation_key": "fp|5e6f87e633339e49c8d6f637084a82db870e683da92f4efbc4dd876b51304211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Scarf iOS/Profiles/ProfilesView.swift"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10851, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9769a78aeab7211b6233ad058fa5ebe1cb102fb7b71cd6528fce75d3a712af21", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Packages/ScarfCore/Sources/ScarfCore/Transport/LocalTransport.swift", "duplicate_line": 159, "correlation_key": "fp|9769a78aeab7211b6233ad058fa5ebe1cb102fb7b71cd6528fce75d3a712af21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Packages/ScarfCore/Sources/ScarfCore/Transport/SSHTransport.swift"}, "region": {"startLine": 276}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa6e82fc3cf968c0b237cee21bc9403702db6bf1eaae85213424f1789dad3afa", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scarf/Packages/ScarfCore/Sources/ScarfCore/Services/CuratorService.swift", "duplicate_line": 206, "correlation_key": "fp|fa6e82fc3cf968c0b237cee21bc9403702db6bf1eaae85213424f1789dad3afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Packages/ScarfCore/Sources/ScarfCore/Services/KanbanService.swift"}, "region": {"startLine": 319}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10863, "scanner": "repobility-threat-engine", "fingerprint": "e161ef20dfaa109de2c7c7924bdb319077a6dcb1b8f97f4b84a09e03ab0feee9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|site/widgets.js|180|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/widgets.js"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 10868, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10867, "scanner": "repobility-threat-engine", "fingerprint": "15773bcdf625ae0e8b90c8ed6d0ac9b2f62981ce0d62c65c281e2e32b1c1ef01", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"Notification authorization failed: \\(error.localizedDescription, privacy: .public)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|logger.warning notification authorization failed: error.localizeddescription privacy: .public"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Core/Services/ChatNotificationService.swift"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10866, "scanner": "repobility-threat-engine", "fingerprint": "52ec38dde0ed3e928d5e00e23c423e8fd9358aa1cb26b1b9dc17176dd099d446", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"install couldn't mirror secrets to ~/.hermes/.env: \\(error.localizedDescription, pri", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.warning install couldn t mirror secrets to /.hermes/.env: error.localizeddescription pri"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Core/Services/ProjectTemplateInstaller.swift"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10865, "scanner": "repobility-threat-engine", "fingerprint": "e68737781ee217fb9337396bf6ee26ba1eb7f92bd8529ea8e56d10fe1e07c4f4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"uninstall couldn't strip secrets block from ~/.hermes/.env: \\(error.localizedDescrip", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|15|logger.warning uninstall couldn t strip secrets block from /.hermes/.env: error.localizeddescrip"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/scarf/Core/Services/ProjectTemplateUninstaller.swift"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 10864, "scanner": "repobility-threat-engine", "fingerprint": "e7c2e2d4151c71e7eb568c445e526dc948add0ea4f991259ab38b84d5f124f40", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://user:pass@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|9|postgres://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scarf/Packages/ScarfCore/Sources/ScarfCore/Models/MCPServerPreset.swift"}, "region": {"startLine": 97}}}]}]}]}