{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED039] Rust Todo Macro (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 59 more): Same pattern found in 59 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 59 more): Same pattern found in 59 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 63 more): Same pattern found in 63 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 63 more): Same pattern found in 63 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `registry:2` unpinned: `container/services image: registry:2` without `@sha", "shortDescription": {"text": "[MINED126] Workflow container/services image `registry:2` unpinned: `container/services image: registry:2` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discip"}, "fullDescription": {"text": "Replace with `registry:2@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolv", "shortDescription": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files "}, "fullDescription": {"text": "Replace with: `uses: cachix/install-nix-action@<40-char-sha>  # v31` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/consensys/gnark`: `replace ( => github.com/consensys/gnar", "shortDescription": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/consensys/gnark`: `replace ( => github.com/consensys/gnark` overrides the canonical dependency with a different source (redirects to fork `github.com/consensys/gnark`). Local-pa"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC048", "name": "[SEC048] AWS access key (any prefix): AWS access key ID detected (supports access, session, batch, codecommit prefixes).", "shortDescription": {"text": "[SEC048] AWS access key (any prefix): AWS access key ID detected (supports access, session, batch, codecommit prefixes). Ported from gitleaks aws-access-token (MIT)."}, "fullDescription": {"text": "Rotate the key in IAM and move to AWS Secrets Manager or environment variables loaded at runtime."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/818"}, "properties": {"repository": "unionlabs/union", "repoUrl": "https://github.com/unionlabs/union", "branch": "main"}, "results": [{"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 72099, "scanner": "repobility-access-control", "fingerprint": "428bba7e78ca5dadacd769b0ae359888a4bbbdef443ba24eb50394e8f889518f", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 3, "correlation_key": "fp|428bba7e78ca5dadacd769b0ae359888a4bbbdef443ba24eb50394e8f889518f", "auth_visible_percent": 33.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 72098, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d35a3e0df162407eb41dd8fe6da8e3685ed40c1ecfe3be3113ae509e7d163243", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|d35a3e0df162407eb41dd8fe6da8e3685ed40c1ecfe3be3113ae509e7d163243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/fulu/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe62284d70c9871f892e301904a2d4503fa4f08391f234f5b9ad77cd01999d13", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|fe62284d70c9871f892e301904a2d4503fa4f08391f234f5b9ad77cd01999d13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/electra/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17af626963b645be4131ac60df0d46a6fd669d9bd9c49538b111ea49a8c9cd76", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|17af626963b645be4131ac60df0d46a6fd669d9bd9c49538b111ea49a8c9cd76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/deneb/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4df8cc9d4bcb752f32784db94ef179c99d8a39718d44467ecda2c34f91c23a55", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|4df8cc9d4bcb752f32784db94ef179c99d8a39718d44467ecda2c34f91c23a55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/capella/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8da7e5fd4b665a159d0217054ab0846f6ed79631036a34f8925523645de3ac0d", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|8da7e5fd4b665a159d0217054ab0846f6ed79631036a34f8925523645de3ac0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/bellatrix/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 72062, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ebf9a7b5224c8371812479e1bff0bf81a21eac5404a06ff8776c4d080ea23806", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|ebf9a7b5224c8371812479e1bff0bf81a21eac5404a06ff8776c4d080ea23806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/altair/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 72027, "scanner": "repobility-threat-engine", "fingerprint": "a7124c8fb9b2ef681247182f600ccca1533e052b18e79bd705d55288af814c9e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{Addr: \":\" + strconv.Itoa(port)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a7124c8fb9b2ef681247182f600ccca1533e052b18e79bd705d55288af814c9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/cmd/query_stats_health.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72016, "scanner": "repobility-threat-engine", "fingerprint": "2e472cc252e8e5bb0159b815b9eeeeeb0676bf2f9cae5ce854afd0a05bbe6a6d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ":exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|17|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devnet-compose/src/voyager.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72015, "scanner": "repobility-threat-engine", "fingerprint": "3a3e82e28105254de9c277890cbd346620b42a3d2b6c7c3a86f839b1ff4a6355", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|215|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devnet-compose/src/process_compose.rs"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72014, "scanner": "repobility-threat-engine", "fingerprint": "5ce1fc10093876035ee4b165cc4f4a86958ea1efc7de38bdb7cdfdee17b1e78a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ":exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|43|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devnet-compose/src/galois.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 72100, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e178a5045e234883f5039ecedab47a6ff2ad9090cae5ba8950fd1f6723a6468d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/services/add-cosmos-wallet.ts", "duplicate_line": 57, "correlation_key": "fp|e178a5045e234883f5039ecedab47a6ff2ad9090cae5ba8950fd1f6723a6468d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/services/add-evm-wallet.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8afa89577fe2fc5b0f84dbc57de14bf6d2d4c872e8f4ba7846f79ac211cbd51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/components/DeleteAccountModal.svelte", "duplicate_line": 21, "correlation_key": "fp|a8afa89577fe2fc5b0f84dbc57de14bf6d2d4c872e8f4ba7846f79ac211cbd51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/UnlinkAccountModal.svelte"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d21a50d7b24998a827d775137e4e41698b2892b3671fbb6c1cee2c8725885e7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/layout/YapAd.svelte", "duplicate_line": 29, "correlation_key": "fp|d21a50d7b24998a827d775137e4e41698b2892b3671fbb6c1cee2c8725885e7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/SideCard.svelte"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7528dbb613f2385270b69495d8722844799d07da685bfe7ef9fb890f0c212e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/components/NewUser.svelte", "duplicate_line": 5, "correlation_key": "fp|f7528dbb613f2385270b69495d8722844799d07da685bfe7ef9fb890f0c212e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/SideCard.svelte"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c66c17015cc4bfa03ee9da37237a2999cdb5a36094658c05f164b425ef90db2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/components/AchievementStats.svelte", "duplicate_line": 94, "correlation_key": "fp|3c66c17015cc4bfa03ee9da37237a2999cdb5a36094658c05f164b425ef90db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/RewardStats.svelte"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63ccd55eb13274ba69667fabb4738b1b068e4da7c6bc25c168b32ff342d66106", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/components/AchievementTabs.svelte", "duplicate_line": 471, "correlation_key": "fp|63ccd55eb13274ba69667fabb4738b1b068e4da7c6bc25c168b32ff342d66106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/MissionTabs.svelte"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78b0309398b991519f0582973f22df10371b8f1fa49428f34bff1e997ef48cc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/dashboard/components/AchievementStats.svelte", "duplicate_line": 94, "correlation_key": "fp|78b0309398b991519f0582973f22df10371b8f1fa49428f34bff1e997ef48cc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/dashboard/components/MissionStats.svelte"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14a9523cefe790e19371ca718a338e23926a87fa2fed0e09081b9545bbef1c3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/ui/PacketListPagination.svelte", "duplicate_line": 8, "correlation_key": "fp|14a9523cefe790e19371ca718a338e23926a87fa2fed0e09081b9545bbef1c3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/ui/TransferListPagination.svelte"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e52795be97f7b0e05ad8ad0d6619c484866baf56b8aa97a9a6942abdd5781bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/BondComponent.svelte", "duplicate_line": 283, "correlation_key": "fp|5e52795be97f7b0e05ad8ad0d6619c484866baf56b8aa97a9a6942abdd5781bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/WithdrawalComponent.svelte"}, "region": {"startLine": 199}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "677328f74b68469e079d4ab2341d35d465964a03ad1344267cc54d2aea016ceb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/UnbondComponent.svelte", "duplicate_line": 239, "correlation_key": "fp|677328f74b68469e079d4ab2341d35d465964a03ad1344267cc54d2aea016ceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/WithdrawalComponent.svelte"}, "region": {"startLine": 161}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a61ea44ebe66fc100dc3bfbb8ab044605a2f39dbe6f2c0f871f088691dc1675c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/ProxyDustRecovery.svelte", "duplicate_line": 357, "correlation_key": "fp|a61ea44ebe66fc100dc3bfbb8ab044605a2f39dbe6f2c0f871f088691dc1675c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/UnbondComponent.svelte"}, "region": {"startLine": 548}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e67182ca4712a693a02dce61eb03c8f625c29aea75fe8eefc7e3eb8529ad77d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/QuickWithdrawComponent.svelte", "duplicate_line": 362, "correlation_key": "fp|e67182ca4712a693a02dce61eb03c8f625c29aea75fe8eefc7e3eb8529ad77d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/UnbondComponent.svelte"}, "region": {"startLine": 435}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "277d3d40ce9626819b006283630781b5be84b2b2143a4c4ad58250b998afa243", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/StatusDisplay.svelte", "duplicate_line": 22, "correlation_key": "fp|277d3d40ce9626819b006283630781b5be84b2b2143a4c4ad58250b998afa243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/UnbondComponent.svelte"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "151e428d4f33b2f8d2f0d882c9159214520d2a8c26f9591477d861275330d5e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/BondComponent.svelte", "duplicate_line": 42, "correlation_key": "fp|151e428d4f33b2f8d2f0d882c9159214520d2a8c26f9591477d861275330d5e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/UnbondComponent.svelte"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf21843eefb46bb78e6f2fcaf21b141b14a777b763bb93e4a19e2cb4973dd5dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/QuickWithdrawComponent.svelte", "duplicate_line": 56, "correlation_key": "fp|cf21843eefb46bb78e6f2fcaf21b141b14a777b763bb93e4a19e2cb4973dd5dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/StatusDisplay.svelte"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae319e2182e3fb172e709f31451d3507fcf32df13c11966c3e2cb5ce47349a44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/ProxyDustRecovery.svelte", "duplicate_line": 53, "correlation_key": "fp|ae319e2182e3fb172e709f31451d3507fcf32df13c11966c3e2cb5ce47349a44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/StatusDisplay.svelte"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9eacccdf79a03da8dea55fca1ec6b67830c97d571f6e64168e82c96da2623276", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/BondComponent.svelte", "duplicate_line": 85, "correlation_key": "fp|9eacccdf79a03da8dea55fca1ec6b67830c97d571f6e64168e82c96da2623276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/StatusDisplay.svelte"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b46751d9f6ca25b9c6e6c98cbb75fe2278d7138fc441b3e95b764cda92ea112e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/BondComponent.svelte", "duplicate_line": 351, "correlation_key": "fp|b46751d9f6ca25b9c6e6c98cbb75fe2278d7138fc441b3e95b764cda92ea112e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/QuickWithdrawComponent.svelte"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bdb1922dfaf3c7077589b1fbbdb0c85e4e612373d7b330081cc88492c577fdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/stake/BondComponent.svelte", "duplicate_line": 253, "correlation_key": "fp|0bdb1922dfaf3c7077589b1fbbdb0c85e4e612373d7b330081cc88492c577fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/stake/ProxyDustRecovery.svelte"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71ad3f39b47476ddb5c6132f9c429defa35274f388e6823c668eeeebadd3d931", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/model/DustWithdrawalListItemComponent.svelte", "duplicate_line": 44, "correlation_key": "fp|71ad3f39b47476ddb5c6132f9c429defa35274f388e6823c668eeeebadd3d931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/model/WithdrawalListItemComponent.svelte"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7061706868c95e298d19b5c620595010673f61e41b5c9bdce4c816530d1b3111", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/model/BlockHeightComponent.svelte", "duplicate_line": 24, "correlation_key": "fp|7061706868c95e298d19b5c620595010673f61e41b5c9bdce4c816530d1b3111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/model/TransactionHashComponent.svelte"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75ecbf2f5f4cbdbe1c7dc3c531903005a835223bd828a0f02e031414eb57757c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/model/BlockHashComponent.svelte", "duplicate_line": 5, "correlation_key": "fp|75ecbf2f5f4cbdbe1c7dc3c531903005a835223bd828a0f02e031414eb57757c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/model/TransactionHashComponent.svelte"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e8d8d0d1a446c6a2cb2fd498d320cd7fa044dfc991a9e1306b896d365d1c496", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/model/DustWithdrawalListItemComponent.svelte", "duplicate_line": 56, "correlation_key": "fp|8e8d8d0d1a446c6a2cb2fd498d320cd7fa044dfc991a9e1306b896d365d1c496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/model/StakingListItemComponent.svelte"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d65c61e70d723c90f4761c2248c1a4d3cdce033e29cec6651286bcff31ddbc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/model/InsetError.svelte", "duplicate_line": 40, "correlation_key": "fp|9d65c61e70d723c90f4761c2248c1a4d3cdce033e29cec6651286bcff31ddbc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/model/MultisigMessage.svelte"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76251880169e8302143ee5071f687b74997643ae991d751edfee67ab0e3a52b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app2/src/lib/components/icons/AngleArrowIcon.svelte", "duplicate_line": 1, "correlation_key": "fp|76251880169e8302143ee5071f687b74997643ae991d751edfee67ab0e3a52b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/lib/components/icons/ArrowDownLeft.svelte"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "773774a99518a01b97403b87cdd43ad984a389029ca270a89b750ba97385612c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/beacon-api-types/src/electra/light_client_update.rs", "duplicate_line": 1, "correlation_key": "fp|773774a99518a01b97403b87cdd43ad984a389029ca270a89b750ba97385612c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/fulu/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e956c14913c6ec8f1be1ede7ac2cb2dbcc4391575301f69388fcbcdcf7dfe11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/beacon-api-types/src/electra/light_client_finality_update.rs", "duplicate_line": 1, "correlation_key": "fp|3e956c14913c6ec8f1be1ede7ac2cb2dbcc4391575301f69388fcbcdcf7dfe11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/fulu/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58ebb4afecfcf8b716f918e086dcd4b919a129168901fab93045e96cd625509c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/beacon-api-types/src/altair/light_client_update.rs", "duplicate_line": 6, "correlation_key": "fp|58ebb4afecfcf8b716f918e086dcd4b919a129168901fab93045e96cd625509c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/deneb/light_client_update.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8af411ea3ba0c4f258106d3cc4c3c15c5ee52a91fcfa89f6011d8cecf657b68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/beacon-api-types/src/altair/light_client_finality_update.rs", "duplicate_line": 6, "correlation_key": "fp|b8af411ea3ba0c4f258106d3cc4c3c15c5ee52a91fcfa89f6011d8cecf657b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/deneb/light_client_finality_update.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87164fcccde91ce67d0f0c19e097722e8526787cc42a44d35423e607cd18d619", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/beacon-api-types/src/bellatrix/light_client_update.rs", "duplicate_line": 5, "correlation_key": "fp|87164fcccde91ce67d0f0c19e097722e8526787cc42a44d35423e607cd18d619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/capella/light_client_update.rs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72061, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9324dd5cc7e24d2d099b7da5e7bfd6c6f8470bd243e6fe54437bc03bfcd6ab76", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9324dd5cc7e24d2d099b7da5e7bfd6c6f8470bd243e6fe54437bc03bfcd6ab76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ethereum-sync-protocol-types/src/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72060, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4271d104e159cadba915d12ffc1cce3340c62cdfea0174e78e4a3ab2cbd5dbb3", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4271d104e159cadba915d12ffc1cce3340c62cdfea0174e78e4a3ab2cbd5dbb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ethereum-light-client-types/src/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d7442cb626651a668fcdd8b82986d0a94c3c5932e85ad9ac30316887f037e19", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2d7442cb626651a668fcdd8b82986d0a94c3c5932e85ad9ac30316887f037e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/fulu/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b654945ee922b25cd29b643c4444a6a2bbc79531e858b4deef19107731ab3c67", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b654945ee922b25cd29b643c4444a6a2bbc79531e858b4deef19107731ab3c67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/fulu/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66206d20334b76befa30755773fc3aed59c8d9eb50ccdb6861afa4d39241f82e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|66206d20334b76befa30755773fc3aed59c8d9eb50ccdb6861afa4d39241f82e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/electra/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc28b7a36656d8416b78b9a83f38fadec47f3fd2c7cef945c8da2af214008ad1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cc28b7a36656d8416b78b9a83f38fadec47f3fd2c7cef945c8da2af214008ad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/electra/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c16a2d515a8a3fe2d30f1bed2fb25ea43449e9076ed752105df3fc73f09d062a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c16a2d515a8a3fe2d30f1bed2fb25ea43449e9076ed752105df3fc73f09d062a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/deneb/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b74eb122e9ba2ff4b0912c46ebf24d004479ff2287323fe4cb9abd88e956536", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|7b74eb122e9ba2ff4b0912c46ebf24d004479ff2287323fe4cb9abd88e956536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/deneb/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7562ce8d11b7a1d83af5c59df59d17b159388d4c23a1fc698e4b80b650d896f1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|7562ce8d11b7a1d83af5c59df59d17b159388d4c23a1fc698e4b80b650d896f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/capella/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c14d6df752c249feab7c411203319205b1faafede691d1c4cf05bc067859b686", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c14d6df752c249feab7c411203319205b1faafede691d1c4cf05bc067859b686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/capella/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "780962a2df3d4892561fb2161047e64a465ffd119a84888d0a366160633e7741", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|780962a2df3d4892561fb2161047e64a465ffd119a84888d0a366160633e7741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/bellatrix/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d3e27a1d82c6fdd5dd2f66e59ce4e82b8de940787adc1f4c44ccbed4b9ff510", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8d3e27a1d82c6fdd5dd2f66e59ce4e82b8de940787adc1f4c44ccbed4b9ff510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/bellatrix/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa049ae5bf1d848b3991271ba85328f54aa2784307d9c5d920fbc7d6999f794c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|aa049ae5bf1d848b3991271ba85328f54aa2784307d9c5d920fbc7d6999f794c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/altair/light_client_finality_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e21fda18481d2003f08621250519843c24f4eb5548a72a7e4a5226479b9b9fcf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e21fda18481d2003f08621250519843c24f4eb5548a72a7e4a5226479b9b9fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/beacon-api-types/src/altair/light_client_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 72047, "scanner": "repobility-threat-engine", "fingerprint": "09d8e74e9a02c2a51c585a6aa80af05e897afccc7e7918056427abc4fe7f1f55", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = t.Execute(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09d8e74e9a02c2a51c585a6aa80af05e897afccc7e7918056427abc4fe7f1f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/docs/docs.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 72046, "scanner": "repobility-threat-engine", "fingerprint": "fec28beeca0ec59974e2fb8fa67496fbf0221f9a512b9bafb719b159a44428b3", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = config.ReadFromClientConfig(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fec28beeca0ec59974e2fb8fa67496fbf0221f9a512b9bafb719b159a44428b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/cmd/uniond/cmd/root.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 72043, "scanner": "repobility-threat-engine", "fingerprint": "f5d20c4b32e92fcf722554b86c6eaca98d0a3e969268a93fca92bc3fdcd4d49a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5d20c4b32e92fcf722554b86c6eaca98d0a3e969268a93fca92bc3fdcd4d49a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-sdk/src/schema/fee.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 72042, "scanner": "repobility-threat-engine", "fingerprint": "938cae7ea02608e30026d133ce9c105c38aff220243407c767f5eafcccccdc6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|938cae7ea02608e30026d133ce9c105c38aff220243407c767f5eafcccccdc6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "typescript-sdk/src/evm/client.ts"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 72041, "scanner": "repobility-threat-engine", "fingerprint": "c147d325d1e4b0b8b17de372175ee6c42ef55608f714e514d0c121b08eb460ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c147d325d1e4b0b8b17de372175ee6c42ef55608f714e514d0c121b08eb460ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "typescript-sdk/playground/fetch-recommended-channels-legacy.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 72040, "scanner": "repobility-threat-engine", "fingerprint": "e595ca84e7a27fd1de0340e658c857620d1b8a77add1289b6ea83047c299f40e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e595ca84e7a27fd1de0340e658c857620d1b8a77add1289b6ea83047c299f40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-sdk/examples/cosmos-to-evm-transfer.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 72038, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72037, "scanner": "repobility-threat-engine", "fingerprint": "cd76228907fd5f33396aa576c5ed2001977da40b2c70272405120cfc4b13bd79", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd76228907fd5f33396aa576c5ed2001977da40b2c70272405120cfc4b13bd79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-sdk/src/sui/quote-token.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72036, "scanner": "repobility-threat-engine", "fingerprint": "0e97bcacc0fa6a8fda7d8a99eb11361471d456df715a9a50b227288e5e1ac7ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e97bcacc0fa6a8fda7d8a99eb11361471d456df715a9a50b227288e5e1ac7ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-sdk/src/sui/channel-balance.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72035, "scanner": "repobility-threat-engine", "fingerprint": "0143544501a0c7b1101ba3b2ec8ba569312f7c761c9b239d87c315d80450da7a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0143544501a0c7b1101ba3b2ec8ba569312f7c761c9b239d87c315d80450da7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/src/content/_snippets/landing.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 72034, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 72033, "scanner": "repobility-threat-engine", "fingerprint": "abdcabeac4374f3ad8176d9af75d0c41e3fe3e60f99e168efbe3b1833fd3a925", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`Token: <redacted>} (${tokenInfo.symbol})", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.log token: redacted tokeninfo.symbol"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-sdk/examples/cosmos-to-evm-transfer.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 72032, "scanner": "repobility-threat-engine", "fingerprint": "dc3070b9fe77f818751770953bfa382d61a060c4657545bd62f42e68c11dd9d3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"raw sendTokens error:\", err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|13|console.error raw sendtokens error: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sentinel2/src/fund-babylon-accounts.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 72026, "scanner": "repobility-threat-engine", "fingerprint": "491e4b326f16fb9f40e30cdc35c41db861b9bb3862a927a7db9219d7a4250b4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|491e4b326f16fb9f40e30cdc35c41db861b9bb3862a927a7db9219d7a4250b4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/cmd/query_stats_health.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 72025, "scanner": "repobility-threat-engine", "fingerprint": "d6fed70b03f929bfa47ef32daafe6aa86f45c73a218cc135d487b6db41ce12fc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6fed70b03f929bfa47ef32daafe6aa86f45c73a218cc135d487b6db41ce12fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/cmd/client.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 72023, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 72017, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 72013, "scanner": "repobility-threat-engine", "fingerprint": "82b03f6d47da6f8138de0c08108e5442b1e8758990e99846ee3341bc217c6ff5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|82b03f6d47da6f8138de0c08108e5442b1e8758990e99846ee3341bc217c6ff5", "aggregated_count": 1}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 72012, "scanner": "repobility-threat-engine", "fingerprint": "f8a86bf901a1535eda55dd57cb2089d4407c8d91160fb6d05b8248cdd517a8e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8a86bf901a1535eda55dd57cb2089d4407c8d91160fb6d05b8248cdd517a8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/move-bindgen/src/lib.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 72011, "scanner": "repobility-threat-engine", "fingerprint": "b3f9d3f60f27e058451248eeecda293cd4af126c78228ec3f19dc080021fe1bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3f9d3f60f27e058451248eeecda293cd4af126c78228ec3f19dc080021fe1bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mpc/shared/src/lib.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 72010, "scanner": "repobility-threat-engine", "fingerprint": "6848d6a116e88eacfabe9c030b0faa2456884bcd4dc0a27a48329e5c39e3228e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6848d6a116e88eacfabe9c030b0faa2456884bcd4dc0a27a48329e5c39e3228e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/proxy-account-factory/src/lib.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED039", "level": "none", "message": {"text": "[MINED039] Rust Todo Macro (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 72009, "scanner": "repobility-threat-engine", "fingerprint": "eea72d29f666a500db962a149d2936b8b81b60f6385d7d180e6bae697e20aa1d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eea72d29f666a500db962a149d2936b8b81b60f6385d7d180e6bae697e20aa1d", "aggregated_count": 8}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 72005, "scanner": "repobility-threat-engine", "fingerprint": "3a4ecb96fe4ab0d3150de11c53981b89b64a54ec6a948fe3bc3dcf85fa78a184", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3a4ecb96fe4ab0d3150de11c53981b89b64a54ec6a948fe3bc3dcf85fa78a184", "aggregated_count": 10}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 72004, "scanner": "repobility-threat-engine", "fingerprint": "fe97409c52e31be0c911dafa031e930456b946684a8885c7b78de0d11cd44ace", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe97409c52e31be0c911dafa031e930456b946684a8885c7b78de0d11cd44ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/lightclient/bob/src/client.rs"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 72003, "scanner": "repobility-threat-engine", "fingerprint": "72ff9e1b8720d9083a68f14a5c77220dabfac8fef34c5e092c025681984c7538", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72ff9e1b8720d9083a68f14a5c77220dabfac8fef34c5e092c025681984c7538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/cw-unionversal-token/src/msg.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 72002, "scanner": "repobility-threat-engine", "fingerprint": "1d96360cb0947730d37cbae0d749db91f3a2d0c0458be53fed325932a1027cb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d96360cb0947730d37cbae0d749db91f3a2d0c0458be53fed325932a1027cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/core/src/tests.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED041", "level": "none", "message": {"text": "[MINED041] Rust Unimplemented Macro (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 72001, "scanner": "repobility-threat-engine", "fingerprint": "410d6c61d17e5fa6ab5bd88bc40ab2ad9fee6ac498b4c1f9d38f61508ebd533b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|410d6c61d17e5fa6ab5bd88bc40ab2ad9fee6ac498b4c1f9d38f61508ebd533b", "aggregated_count": 2}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 59 more): Same pattern found in 59 additional files. Review if needed."}, "properties": {"repobilityId": 71995, "scanner": "repobility-threat-engine", "fingerprint": "23103860e78f4d7bbd7773bd29c700ce097a218427bc328f793353baf4138083", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 59 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|23103860e78f4d7bbd7773bd29c700ce097a218427bc328f793353baf4138083", "aggregated_count": 59}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 71994, "scanner": "repobility-threat-engine", "fingerprint": "602da12fa7d641ef07f125e18e5790c15a6bec42a6b7f40bc9e3e860ac82aff3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|602da12fa7d641ef07f125e18e5790c15a6bec42a6b7f40bc9e3e860ac82aff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-manager/src/state.rs"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 71993, "scanner": "repobility-threat-engine", "fingerprint": "3c23386c56ca3e545de562ebbfd925a9583542140131f444b44106e48674a8c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c23386c56ca3e545de562ebbfd925a9583542140131f444b44106e48674a8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-manager/src/context.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 71992, "scanner": "repobility-threat-engine", "fingerprint": "76b5136975bafd80604647b0968cdbf48206188957088e0a4a58c3a725ae2a4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76b5136975bafd80604647b0968cdbf48206188957088e0a4a58c3a725ae2a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-managed/src/restricted.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 63 more): Same pattern found in 63 additional files. Review if needed."}, "properties": {"repobilityId": 71991, "scanner": "repobility-threat-engine", "fingerprint": "785d75bc40836313b453b457c03acacc387e4d52dd561e1afaa0cd73cbd4700a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 63 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|785d75bc40836313b453b457c03acacc387e4d52dd561e1afaa0cd73cbd4700a", "aggregated_count": 63}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 71987, "scanner": "repobility-threat-engine", "fingerprint": "1f38ec8ee427c878650366a6c48e200528f96ac717745ebf5485e970f5194715", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1f38ec8ee427c878650366a6c48e200528f96ac717745ebf5485e970f5194715", "aggregated_count": 17}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 71986, "scanner": "repobility-threat-engine", "fingerprint": "3714a3bf6fec9c46f03cab6cf5e8db70add3fc2785c2863c1db00abf08edf623", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3714a3bf6fec9c46f03cab6cf5e8db70add3fc2785c2863c1db00abf08edf623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/react/Editor.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 71985, "scanner": "repobility-threat-engine", "fingerprint": "881593ece7915f764e84a8463812c13f2f0aebce859f0d80802daf8b4952810a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|881593ece7915f764e84a8463812c13f2f0aebce859f0d80802daf8b4952810a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/examples/unbond.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 71984, "scanner": "repobility-threat-engine", "fingerprint": "925ae4b4d57e8f66639f51d8065f0cfb8bed84032dd23c6390ad7d56920ebb2f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|925ae4b4d57e8f66639f51d8065f0cfb8bed84032dd23c6390ad7d56920ebb2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/examples/bond.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 71983, "scanner": "repobility-threat-engine", "fingerprint": "17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "aggregated_count": 7}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71982, "scanner": "repobility-threat-engine", "fingerprint": "12c7105bbf6266b0d36c8274c7eb3666920354bff520bdebc7ff4ab819b43cc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12c7105bbf6266b0d36c8274c7eb3666920354bff520bdebc7ff4ab819b43cc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sentinel2/src/check-balances.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71981, "scanner": "repobility-threat-engine", "fingerprint": "f7bb3b083e1f3d15af9f2248640632d511a1bb35e2db92bdcb89f5923e6829e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7bb3b083e1f3d15af9f2248640632d511a1bb35e2db92bdcb89f5923e6829e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/examples/unbond.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71980, "scanner": "repobility-threat-engine", "fingerprint": "19f36dfddcefe61c6fcb9fde8d6a24ef39f5a50e71386c92a179d0d4ee38d8a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|19f36dfddcefe61c6fcb9fde8d6a24ef39f5a50e71386c92a179d0d4ee38d8a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/examples/bond.ts"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "properties": {"repobilityId": 71979, "scanner": "repobility-threat-engine", "fingerprint": "50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 66 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "aggregated_count": 66}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71978, "scanner": "repobility-threat-engine", "fingerprint": "38c4fbd3eeaa58885546d2b4e4ca3d8d4673680cdde92c9eca10e07db42ddbdc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38c4fbd3eeaa58885546d2b4e4ca3d8d4673680cdde92c9eca10e07db42ddbdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/routes/explorer/orbital/canvasInit.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71977, "scanner": "repobility-threat-engine", "fingerprint": "c768617221ac9358c6dff26c6fc94b0f3281244f2a4e9fcdaccecd841221f1d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c768617221ac9358c6dff26c6fc94b0f3281244f2a4e9fcdaccecd841221f1d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/src/hooks.client.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71976, "scanner": "repobility-threat-engine", "fingerprint": "5fa934cf0dc8c8b89979713ecd822c19d61bd43901bdb4e0551fa5a7b38dab05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5fa934cf0dc8c8b89979713ecd822c19d61bd43901bdb4e0551fa5a7b38dab05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app2/examples/bond.ts"}, "region": {"startLine": 328}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 71975, "scanner": "repobility-threat-engine", "fingerprint": "b31c00d8dc95a84ada9ba2009cf9ddc0d9d673ed54b7947033cf3d8ed91e4d3c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b31c00d8dc95a84ada9ba2009cf9ddc0d9d673ed54b7947033cf3d8ed91e4d3c", "aggregated_count": 8}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 71974, "scanner": "repobility-threat-engine", "fingerprint": "41f7b4ebd350f906e544ce9fe51eb3d8c52fd246979502ca41b0e9a83a10b2d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41f7b4ebd350f906e544ce9fe51eb3d8c52fd246979502ca41b0e9a83a10b2d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/cmd/example_prove.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 71973, "scanner": "repobility-threat-engine", "fingerprint": "802f60ba3b133460afebfb7ac8e0ef3a8c1a2e507c93533de0ac6cb32812442d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|802f60ba3b133460afebfb7ac8e0ef3a8c1a2e507c93533de0ac6cb32812442d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "11-cometbls/zk_verifier.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 71972, "scanner": "repobility-threat-engine", "fingerprint": "5f23769cad229f19238d84b605e8b1a1e0e23170d65d8dd9a6b36df9d61c7567", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f23769cad229f19238d84b605e8b1a1e0e23170d65d8dd9a6b36df9d61c7567"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "11-cometbls/update.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `registry:2` unpinned: `container/services image: registry:2` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72148, "scanner": "repobility-supply-chain", "fingerprint": "750033f88b483d37c027facdcec56b02b3f5d55ca6e7e601d4ab93835044951b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|750033f88b483d37c027facdcec56b02b3f5d55ca6e7e601d4ab93835044951b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-component.yml"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72141, "scanner": "repobility-supply-chain", "fingerprint": "8cec2790b27af030d0453c5c1ab12ac4264eb76a07c4738802b1fb869dd32120", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cec2790b27af030d0453c5c1ab12ac4264eb76a07c4738802b1fb869dd32120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72140, "scanner": "repobility-supply-chain", "fingerprint": "d3209a2e2a9624f80be424fd1cbad6441e3da11f4f84c401707eb915102792a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3209a2e2a9624f80be424fd1cbad6441e3da11f4f84c401707eb915102792a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72139, "scanner": "repobility-supply-chain", "fingerprint": "8def474a4f3cb857a5a85fc117a8f37ed7e59b9074df2d045f8efdc62fbe8aff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8def474a4f3cb857a5a85fc117a8f37ed7e59b9074df2d045f8efdc62fbe8aff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `JasonEtco/create-an-issue` pinned to mutable ref `@v2`: `uses: JasonEtco/create-an-issue@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72138, "scanner": "repobility-supply-chain", "fingerprint": "ae76bf1461f42d2534e35094145d4fb1969a660129abb496f9fcca82fd8c8eae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae76bf1461f42d2534e35094145d4fb1969a660129abb496f9fcca82fd8c8eae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72137, "scanner": "repobility-supply-chain", "fingerprint": "3c76db3219cbff3f085b65579c0fe167bf47f3c60c9aadbcf5fb10237677257e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c76db3219cbff3f085b65579c0fe167bf47f3c60c9aadbcf5fb10237677257e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72128, "scanner": "repobility-supply-chain", "fingerprint": "22dffbc83cdc26fed84e73604d0d650990d430437999722ae1d6ea7ce1c9b673", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22dffbc83cdc26fed84e73604d0d650990d430437999722ae1d6ea7ce1c9b673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72127, "scanner": "repobility-supply-chain", "fingerprint": "09ace90ad58c2c7f4ad6ed3b8bd1eff92afec8466817b27841c1da1878f63a4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09ace90ad58c2c7f4ad6ed3b8bd1eff92afec8466817b27841c1da1878f63a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72126, "scanner": "repobility-supply-chain", "fingerprint": "74851540126ec6b9d324a0f72042750c4b8e9d1fdcb90e8d1064f6b86468d459", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74851540126ec6b9d324a0f72042750c4b8e9d1fdcb90e8d1064f6b86468d459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72125, "scanner": "repobility-supply-chain", "fingerprint": "be579376c7ff4c096f1a24679fd56495d11fb92772693061e422cb7efc7f0702", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be579376c7ff4c096f1a24679fd56495d11fb92772693061e422cb7efc7f0702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72124, "scanner": "repobility-supply-chain", "fingerprint": "fd4c7ae6b44b6f0ded9845fcd54786b8fa34eae8e9b797bf40e388c6aefbfc68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd4c7ae6b44b6f0ded9845fcd54786b8fa34eae8e9b797bf40e388c6aefbfc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72123, "scanner": "repobility-supply-chain", "fingerprint": "ffa122ca7089204905247c7ebba9297c4778843947edf094683cfa570e0a57ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffa122ca7089204905247c7ebba9297c4778843947edf094683cfa570e0a57ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72122, "scanner": "repobility-supply-chain", "fingerprint": "02dbdd2ad17c0ce4f7204c135a7d8f00c0bee7de484626eb9b6dc24994966b2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02dbdd2ad17c0ce4f7204c135a7d8f00c0bee7de484626eb9b6dc24994966b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72121, "scanner": "repobility-supply-chain", "fingerprint": "d4d7fc3840b8d0d3aae12f481a86f9992f0d3960dc7c08945a575527a3508442", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4d7fc3840b8d0d3aae12f481a86f9992f0d3960dc7c08945a575527a3508442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72120, "scanner": "repobility-supply-chain", "fingerprint": "9ee87f671710a06d91a7161c33e3bc8abe46b39fdfcb13dfb4712116cbf57803", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ee87f671710a06d91a7161c33e3bc8abe46b39fdfcb13dfb4712116cbf57803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `thollander/actions-comment-pull-request` pinned to mutable ref `@v2`: `uses: thollander/actions-comment-pull-request@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72119, "scanner": "repobility-supply-chain", "fingerprint": "ab2c24fe08030907e1329981f0fbaa2496813ab9fab32f482cd96d8770f32053", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab2c24fe08030907e1329981f0fbaa2496813ab9fab32f482cd96d8770f32053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72118, "scanner": "repobility-supply-chain", "fingerprint": "e4f1a7fcc0680ac059724d756a2b431ec2c16293494d42cf1b7332e080267249", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4f1a7fcc0680ac059724d756a2b431ec2c16293494d42cf1b7332e080267249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72117, "scanner": "repobility-supply-chain", "fingerprint": "f8fdf6618acae2ded45ea8b3fd041fdf5cef73551ee1de360c5618a780093602", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8fdf6618acae2ded45ea8b3fd041fdf5cef73551ee1de360c5618a780093602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72116, "scanner": "repobility-supply-chain", "fingerprint": "3e3615632370cceffc23e22c51779e072c8a4c30f817f3f8580d358b60a08299", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e3615632370cceffc23e22c51779e072c8a4c30f817f3f8580d358b60a08299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72115, "scanner": "repobility-supply-chain", "fingerprint": "1eb499ee5fb99e0ae97832bef0061696c9e92711fe4516e11eec7f736e7c29b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1eb499ee5fb99e0ae97832bef0061696c9e92711fe4516e11eec7f736e7c29b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly-e2e-lst.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72114, "scanner": "repobility-supply-chain", "fingerprint": "f3cc0fc5563c9853cfa0f3ea2ed13895579a30e595fdc374261e40bbb7fd09ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3cc0fc5563c9853cfa0f3ea2ed13895579a30e595fdc374261e40bbb7fd09ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly-e2e-lst.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `changesets/action` pinned to mutable ref `@v1`: `uses: changesets/action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72113, "scanner": "repobility-supply-chain", "fingerprint": "b70741b2a41b6ca373bd41efab99ee71e82cee102d346ca7fe601ec0ea25fb66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b70741b2a41b6ca373bd41efab99ee71e82cee102d346ca7fe601ec0ea25fb66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package-release.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v31`: `uses: cachix/install-nix-action@v31` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72112, "scanner": "repobility-supply-chain", "fingerprint": "9f3d915f5b9a9e5b2ee59842f23cf23e369d126bebb63fb1c4d13269ca81f2a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f3d915f5b9a9e5b2ee59842f23cf23e369d126bebb63fb1c4d13269ca81f2a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package-release.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72111, "scanner": "repobility-supply-chain", "fingerprint": "4131664734cc85bae0c8cde5d128b7e718236ae7de93acd256e48f2ad573e3ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4131664734cc85bae0c8cde5d128b7e718236ae7de93acd256e48f2ad573e3ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package-release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `wagoid/commitlint-github-action` pinned to mutable ref `@v5`: `uses: wagoid/commitlint-github-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72110, "scanner": "repobility-supply-chain", "fingerprint": "f8b634272da12278de89e703937e197279f8eaa7e0807ee5c964940cea2ea9ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8b634272da12278de89e703937e197279f8eaa7e0807ee5c964940cea2ea9ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 72109, "scanner": "repobility-supply-chain", "fingerprint": "d5777179c0e0bfab0988669109c3f66ba2c7aa4a5a8806c95d076fc7e3a5c7e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5777179c0e0bfab0988669109c3f66ba2c7aa4a5a8806c95d076fc7e3a5c7e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/consensys/gnark`: `replace ( => github.com/consensys/gnark` overrides the canonical dependency with a different source (redirects to fork `github.com/consensys/gnark`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72108, "scanner": "repobility-supply-chain", "fingerprint": "9a3e1d4b0e200db3367579d829fda9f01e7852fd9570a2c8b437c4bae06baf2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a3e1d4b0e200db3367579d829fda9f01e7852fd9570a2c8b437c4bae06baf2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "11-cometbls/go.mod"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/unionlabs/cometbls`: `replace ( => github.com/unionlabs/cometbls` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/cometbls`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72107, "scanner": "repobility-supply-chain", "fingerprint": "86889fa189947b50d115a06f76fe1b89ffad2e1e60c7f1404c128b21f41fb522", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86889fa189947b50d115a06f76fe1b89ffad2e1e60c7f1404c128b21f41fb522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/go.mod"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `cosmossdk.io/api`: `replace ( => cosmossdk.io/api` overrides the canonical dependency with a different source (redirects to fork `cosmossdk.io/api`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72106, "scanner": "repobility-supply-chain", "fingerprint": "d1ed3cccb60f5a6e7e823da37f88fbcf0aa67c12b69d28a6468ee692b72448f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1ed3cccb60f5a6e7e823da37f88fbcf0aa67c12b69d28a6468ee692b72448f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/go.mod"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/unionlabs/cometbls`: `replace ( => github.com/unionlabs/cometbls` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/cometbls`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72105, "scanner": "repobility-supply-chain", "fingerprint": "5f21e04e660fd5acc9da96c4133e4a1f400b286e94b381fe12f4dfd676bab3a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f21e04e660fd5acc9da96c4133e4a1f400b286e94b381fe12f4dfd676bab3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/go.mod"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/unionlabs/cosmos-sdk/core`: `replace ( => github.com/unionlabs/cosmos-sdk/core` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/cosmos-sdk/core`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72104, "scanner": "repobility-supply-chain", "fingerprint": "f71963c24c4b47f8afc4896f0b71ec4c0862f2583ce6c89f20e885bf16a3f1a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f71963c24c4b47f8afc4896f0b71ec4c0862f2583ce6c89f20e885bf16a3f1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/go.mod"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/unionlabs/ibc-go/modules/capability`: `replace ( => github.com/unionlabs/ibc-go/modules/capability` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/ibc-go/modules/capability`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72103, "scanner": "repobility-supply-chain", "fingerprint": "8ca9f49528bd26ae5539b6c008a416e790935d76d566ec17cc1686784676dc56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ca9f49528bd26ae5539b6c008a416e790935d76d566ec17cc1686784676dc56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/go.mod"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/CosmWasm/wasmd` \u2014 redirects to fork `github.com/unionlabs/wasmd`: `replace github.com/CosmWasm/wasmd => github.com/unionlabs/wasmd` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/wasmd`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72102, "scanner": "repobility-supply-chain", "fingerprint": "9710b615bea694ccdd1dbb64625c0392a092353779845566168f86a64124bd7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9710b615bea694ccdd1dbb64625c0392a092353779845566168f86a64124bd7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/go.mod"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 redirects to fork `github.com/unionlabs/chaintestutil`: `replace ( => github.com/unionlabs/chaintestutil` overrides the canonical dependency with a different source (redirects to fork `github.com/unionlabs/chaintestutil`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 72101, "scanner": "repobility-supply-chain", "fingerprint": "a3218ce9368b5e9a713baa1262eef5173f7ec9daf0d9803bd3d13d73f97fae09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3218ce9368b5e9a713baa1262eef5173f7ec9daf0d9803bd3d13d73f97fae09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/go.mod"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 72039, "scanner": "repobility-threat-engine", "fingerprint": "fa0c4c173b2844345f7eacadb1e51858da2b54c3bfed0695efcb71094943cc35", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa0c4c173b2844345f7eacadb1e51858da2b54c3bfed0695efcb71094943cc35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/u/src/gno.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 72031, "scanner": "repobility-threat-engine", "fingerprint": "3debc8b25e02f606282925833ab82e8b07edf2de737e1e283ba5b89675dc30c6", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log({ sourceChannel, ucs03address, baseToken, quoteToken, amount })", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|18|console.log sourcechannel ucs03address basetoken quotetoken amount"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "typescript-sdk/src/evm/client.ts"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 72030, "scanner": "repobility-threat-engine", "fingerprint": "c728cd6a010406bb7f90bee2bde7b743bdd15bdb84c69714322c03d267f685bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c728cd6a010406bb7f90bee2bde7b743bdd15bdb84c69714322c03d267f685bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/app/upgrades/v1_3_0/upgrade.go"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 72029, "scanner": "repobility-threat-engine", "fingerprint": "9e429ef0b3ea441080d35a65b12002ae9f00d62867d376f6ba350281e838a42d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e429ef0b3ea441080d35a65b12002ae9f00d62867d376f6ba350281e838a42d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/lib.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 72028, "scanner": "repobility-threat-engine", "fingerprint": "00600484fc58688ab51fb9f90d9449a47743059a70dfba158e7cfe9e976d6e07", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00600484fc58688ab51fb9f90d9449a47743059a70dfba158e7cfe9e976d6e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "galoisd/cmd/galoisd/cmd/utils.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72022, "scanner": "repobility-threat-engine", "fingerprint": "3ce50b2154f1ad5367b3e2be5cea232932630e39e16eb07c74ef0fa00237bb2f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ce50b2154f1ad5367b3e2be5cea232932630e39e16eb07c74ef0fa00237bb2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/public/scripts/scroll-to-anchor.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72021, "scanner": "repobility-threat-engine", "fingerprint": "dab866cdd16e237948af1a5c3dda6cf3fa3c61f2a40d8ce93fee39f5cdb03f96", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dab866cdd16e237948af1a5c3dda6cf3fa3c61f2a40d8ce93fee39f5cdb03f96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sentinel2/src/helpers.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72020, "scanner": "repobility-threat-engine", "fingerprint": "d19e28b65153cdfdb811b57831cdd3ff49ecf293d81ca4fccd10aab725aafd9f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d19e28b65153cdfdb811b57831cdd3ff49ecf293d81ca4fccd10aab725aafd9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/graphiql/react/GraphiQL.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72019, "scanner": "repobility-threat-engine", "fingerprint": "c8db68419e4ed6e8438d8fb723bf26609a606a24d9e561b5ce5d8aa05ad5dc6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(pageHtml", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8db68419e4ed6e8438d8fb723bf26609a606a24d9e561b5ce5d8aa05ad5dc6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sentinel2/src/check-ssl-certificates.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72018, "scanner": "repobility-threat-engine", "fingerprint": "d9d47af5c7a4393f4ce7ec48f9c6d0777f594a0a76ce26a52879729ba1f4159c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9d47af5c7a4393f4ce7ec48f9c6d0777f594a0a76ce26a52879729ba1f4159c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devnet-compose/src/process_compose.rs"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 72008, "scanner": "repobility-threat-engine", "fingerprint": "de852797dfc4c4649d35ac1b300b84faa2729a7d77dd79e9ebafd690661cb8e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de852797dfc4c4649d35ac1b300b84faa2729a7d77dd79e9ebafd690661cb8e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/proxy-account-factory/src/tests.rs"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 72007, "scanner": "repobility-threat-engine", "fingerprint": "b6741679139475c814088c96ad51faddbede9890fd8fb81b7bd9f5c0dac968a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6741679139475c814088c96ad51faddbede9890fd8fb81b7bd9f5c0dac968a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/lst-staker/src/tests.rs"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 72006, "scanner": "repobility-threat-engine", "fingerprint": "0a600af173b5e4c3041df851549a7ace0fadb703bf507811bcdf20c136c61485", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a600af173b5e4c3041df851549a7ace0fadb703bf507811bcdf20c136c61485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/lightclient/sui/src/client.rs"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 72000, "scanner": "repobility-threat-engine", "fingerprint": "06a9878aea0ef6659a06546e3fffd8b992fb19773cdd87fa4bc58eb36b28f233", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06a9878aea0ef6659a06546e3fffd8b992fb19773cdd87fa4bc58eb36b28f233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/lightclient/state-lens-ics23-mpt/src/client.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 71999, "scanner": "repobility-threat-engine", "fingerprint": "fa2624b1f98f316fb4db3da002c0b9a1a7fad3941a16ecb2199f4297ade7d14d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa2624b1f98f316fb4db3da002c0b9a1a7fad3941a16ecb2199f4297ade7d14d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/lightclient/movement/src/client.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 71998, "scanner": "repobility-threat-engine", "fingerprint": "83a698a2b7efcd397f901a43b0e5189d7f021969d55afd0c46cf440f672587a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83a698a2b7efcd397f901a43b0e5189d7f021969d55afd0c46cf440f672587a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/core/src/tests.rs"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 71997, "scanner": "repobility-threat-engine", "fingerprint": "fe41747535cab11726d381c00dfab0684965ebbeaa23ad36b0c2c9ab5ca14a42", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe41747535cab11726d381c00dfab0684965ebbeaa23ad36b0c2c9ab5ca14a42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/react/Editor.tsx"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 71996, "scanner": "repobility-threat-engine", "fingerprint": "f4b24daec4f86bc77af3bfbfd87916831b78e365558f5ae49dc6f2a9db0344bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CONFIG.update(deps.storage, |mut c| {\n        c.seconds_before_timeout = msg.seconds_before_time", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f4b24daec4f86bc77af3bfbfd87916831b78e365558f5ae49dc6f2a9db0344bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/app/ucs00-pingpong/src/contract.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 71990, "scanner": "repobility-threat-engine", "fingerprint": "a0d3d12ed55c805cf7c8b76805f793652319eb3d43db98f0873d1a0819d89370", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0d3d12ed55c805cf7c8b76805f793652319eb3d43db98f0873d1a0819d89370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-managed/src/tests.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 71989, "scanner": "repobility-threat-engine", "fingerprint": "250d3aa65f03b74d06f6f7cfbbbc65f8420e4a6ac6268ed613385e97772b1a4a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|250d3aa65f03b74d06f6f7cfbbbc65f8420e4a6ac6268ed613385e97772b1a4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-managed/src/restricted.rs"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 71988, "scanner": "repobility-threat-engine", "fingerprint": "25373d75faec0d22e01e7e56e81ec2f0f428ca617e9c2f05fd456632f1d90ab9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25373d75faec0d22e01e7e56e81ec2f0f428ca617e9c2f05fd456632f1d90ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cosmwasm/access-managed/src/lib.rs"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72159, "scanner": "repobility-supply-chain", "fingerprint": "7acb602d225a27334597c21657abaca63ba84db8c2c526f03952a51637e8dacc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7acb602d225a27334597c21657abaca63ba84db8c2c526f03952a51637e8dacc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-ceremony.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72158, "scanner": "repobility-supply-chain", "fingerprint": "c54a5531fd6ec6952e7a33358659dea4470ffe02e2032b146de63011139537a5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c54a5531fd6ec6952e7a33358659dea4470ffe02e2032b146de63011139537a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-ceremony.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72157, "scanner": "repobility-supply-chain", "fingerprint": "1e17bb9afef16822a335c2bd0cdff2214f05b4088f024bfbc55b121281e97d1d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e17bb9afef16822a335c2bd0cdff2214f05b4088f024bfbc55b121281e97d1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-ceremony.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72156, "scanner": "repobility-supply-chain", "fingerprint": "c3c4ac3e523549ed0dac163a29e1a0908c487bf6d21bfd23156c1d34de172355", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3c4ac3e523549ed0dac163a29e1a0908c487bf6d21bfd23156c1d34de172355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72155, "scanner": "repobility-supply-chain", "fingerprint": "6cda907e818225492bb44adf123efca3cfd09767c31fc2cc58b8fa0b1f48db27", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cda907e818225492bb44adf123efca3cfd09767c31fc2cc58b8fa0b1f48db27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72154, "scanner": "repobility-supply-chain", "fingerprint": "ab804e6493b83e13feb6d5a8a67b46850cac10d3b017e67a627eadb58189b44d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab804e6493b83e13feb6d5a8a67b46850cac10d3b017e67a627eadb58189b44d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72153, "scanner": "repobility-supply-chain", "fingerprint": "bb3e93b92934a9f1eb69340db9a506fe1f137b34d2709e9ffdb832321598a8c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb3e93b92934a9f1eb69340db9a506fe1f137b34d2709e9ffdb832321598a8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72152, "scanner": "repobility-supply-chain", "fingerprint": "fcd2173719b83a3bbcaef22d98caf4be4cd8ad844ec62e7093155cc1f21df183", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcd2173719b83a3bbcaef22d98caf4be4cd8ad844ec62e7093155cc1f21df183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72151, "scanner": "repobility-supply-chain", "fingerprint": "cd6dc8fefe3c239d0797c6d1d24a8e629215449d704dd90b27c36738dd949b34", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd6dc8fefe3c239d0797c6d1d24a8e629215449d704dd90b27c36738dd949b34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72150, "scanner": "repobility-supply-chain", "fingerprint": "59cd28477a5278d3c9d702dc7c0d8f4e05cbb12a629d9c196ebb0d400b8e7251", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59cd28477a5278d3c9d702dc7c0d8f4e05cbb12a629d9c196ebb0d400b8e7251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72149, "scanner": "repobility-supply-chain", "fingerprint": "bc8d99e863d850f6f99a4d7b60ea2e62dac7d8d7140879256551d7df1266d52b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc8d99e863d850f6f99a4d7b60ea2e62dac7d8d7140879256551d7df1266d52b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-app2.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72147, "scanner": "repobility-supply-chain", "fingerprint": "afce61d0384f3cc416c9b78d36c0406d825a6beb80f475cfbcf123d637e89d2d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afce61d0384f3cc416c9b78d36c0406d825a6beb80f475cfbcf123d637e89d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72146, "scanner": "repobility-supply-chain", "fingerprint": "e848801420e88922398d1225108d35a7435db05ce5abc00c17e1b9980aca9194", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e848801420e88922398d1225108d35a7435db05ce5abc00c17e1b9980aca9194"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72145, "scanner": "repobility-supply-chain", "fingerprint": "7dd44630b7acbe60597d0a622258d31383e85f2e71e1448019373848e82daddb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7dd44630b7acbe60597d0a622258d31383e85f2e71e1448019373848e82daddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72144, "scanner": "repobility-supply-chain", "fingerprint": "1c9bf20b8a94250f512cb5875e45e4d684558f6d8bfe603f8d1cb93b3da010e4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c9bf20b8a94250f512cb5875e45e4d684558f6d8bfe603f8d1cb93b3da010e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72143, "scanner": "repobility-supply-chain", "fingerprint": "55b2f9a2278936c4fbea1bc83f5107bd9c60598320df4d9801486f401047bbf4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55b2f9a2278936c4fbea1bc83f5107bd9c60598320df4d9801486f401047bbf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72142, "scanner": "repobility-supply-chain", "fingerprint": "fd423d73d2a4c975a2c3a5a5c7d6e32f534ddf603b5087a76f1b4d228ae29dff", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd423d73d2a4c975a2c3a5a5c7d6e32f534ddf603b5087a76f1b4d228ae29dff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72136, "scanner": "repobility-supply-chain", "fingerprint": "885130e83bfb138f964fcabd21061193c07b8c97428f264f0aa495102f1a92be", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|885130e83bfb138f964fcabd21061193c07b8c97428f264f0aa495102f1a92be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72135, "scanner": "repobility-supply-chain", "fingerprint": "a0deecae1fca9547153c19d0d548f6eca1fbced08ead26363ccd221ada609949", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0deecae1fca9547153c19d0d548f6eca1fbced08ead26363ccd221ada609949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72134, "scanner": "repobility-supply-chain", "fingerprint": "3c25e2d716060c9fd06e983ef89ce7762b6e04d8c88b60bf4384828bcfd3350b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c25e2d716060c9fd06e983ef89ce7762b6e04d8c88b60bf4384828bcfd3350b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72133, "scanner": "repobility-supply-chain", "fingerprint": "9911cb4ed6666b5cf26bebbbc5b1e19f1aa827eafa62994e7e8caf185957bb64", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9911cb4ed6666b5cf26bebbbc5b1e19f1aa827eafa62994e7e8caf185957bb64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72132, "scanner": "repobility-supply-chain", "fingerprint": "4255da4ee74fc02dec82f7169c58e8c53280ffea8ae4fbc268abff4ef470d879", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4255da4ee74fc02dec82f7169c58e8c53280ffea8ae4fbc268abff4ef470d879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72131, "scanner": "repobility-supply-chain", "fingerprint": "8090e9ad6c7dc5d96ca5cdd9f6150f9b9198b76cae212fa47bb10f03f4865d52", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8090e9ad6c7dc5d96ca5cdd9f6150f9b9198b76cae212fa47bb10f03f4865d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_WORKERS_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_WORKERS_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72130, "scanner": "repobility-supply-chain", "fingerprint": "d5be366ecefad1351698777be67a484330eedf5255151bee7d340c4f83d5ac5c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5be366ecefad1351698777be67a484330eedf5255151bee7d340c4f83d5ac5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72129, "scanner": "repobility-supply-chain", "fingerprint": "a5d01b8ff739c46987c9995fe279015e2a2b9702291fe8995efdcd022b00a82a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5d01b8ff739c46987c9995fe279015e2a2b9702291fe8995efdcd022b00a82a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-zkgm-dev.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC048", "level": "error", "message": {"text": "[SEC048] AWS access key (any prefix): AWS access key ID detected (supports access, session, batch, codecommit prefixes). Ported from gitleaks aws-access-token (MIT)."}, "properties": {"repobilityId": 72045, "scanner": "repobility-threat-engine", "fingerprint": "e674951f4f2f480a20a7be0e9b9b2c470db47bce93d89990e745d8640c50d6d0", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AccAddressFromBech32", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC048", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|24|accaddressfrombech32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/cmd/uniond/cmd/testnet.go"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC048", "level": "error", "message": {"text": "[SEC048] AWS access key (any prefix): AWS access key ID detected (supports access, session, batch, codecommit prefixes). Ported from gitleaks aws-access-token (MIT)."}, "properties": {"repobilityId": 72044, "scanner": "repobility-threat-engine", "fingerprint": "7fb7e3f80995502df9c6694d5b81edc31585ba74bb7d8ff0d8d6fffdb9d4ea3b", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AccAddressFromBech32", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC048", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|19|accaddressfrombech32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniond/app/upgrades/v1_3_0/upgrade.go"}, "region": {"startLine": 191}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 72024, "scanner": "repobility-threat-engine", "fingerprint": "284922ff35d481f44b7977af745895d5d4192672a73ab735fa9d7f2c64b2325d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(selector", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|284922ff35d481f44b7977af745895d5d4192672a73ab735fa9d7f2c64b2325d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evm/contracts/apps/ucs/03-zkgm/Store.sol"}, "region": {"startLine": 75}}}]}]}]}