{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `oras-project/setup-oras` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `oras-project/setup-oras` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: oras-project/setup-oras@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/184"}, "properties": {"repository": "microsoft/playwright-mcp", "repoUrl": "https://github.com/microsoft/playwright-mcp", "branch": "main"}, "results": [{"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 5250, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 5249, "scanner": "repobility-docker", "fingerprint": "eb2dabf22b909a10e6f6abe4308623f3787b73631c5b8b158fedbcb1341ab9ff", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|eb2dabf22b909a10e6f6abe4308623f3787b73631c5b8b158fedbcb1341ab9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 5248, "scanner": "repobility-docker", "fingerprint": "1afa3a52f82d2d3c7d172281db15bbe7ac54640e47bd7490bd562ec15fdac914", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1afa3a52f82d2d3c7d172281db15bbe7ac54640e47bd7490bd562ec15fdac914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 5247, "scanner": "repobility-docker", "fingerprint": "82eac34234d2f419e7cb55d9ebf98f7ee2400bb5752e1f69d88ed59b20b4a4a5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|82eac34234d2f419e7cb55d9ebf98f7ee2400bb5752e1f69d88ed59b20b4a4a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5244, "scanner": "repobility-agent-runtime", "fingerprint": "af5ae1590322febba666451e92fef82ff2cf8088d8b69a3a4ecd62fd4010b980", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|af5ae1590322febba666451e92fef82ff2cf8088d8b69a3a4ecd62fd4010b980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config.d.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 51062, "scanner": "repobility-threat-engine", "fingerprint": "6bf6cfb7d46a8a0226c5948cf5a7b51eb38b1726ebc435f9ae84f3f470bd75fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6bf6cfb7d46a8a0226c5948cf5a7b51eb38b1726ebc435f9ae84f3f470bd75fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-readme.js"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 51061, "scanner": "repobility-threat-engine", "fingerprint": "1e5f416aebba10e9f1d09948c118ff080e41290bb51c7b07e074abc25d7353ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e5f416aebba10e9f1d09948c118ff080e41290bb51c7b07e074abc25d7353ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "roll.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5246, "scanner": "repobility-threat-engine", "fingerprint": "2940af5aea48b900e68a917247d14a91f1c3dc7c4ab35360b5352241307795b5", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Schema or ORM field definition", "evidence": {"match": "console.log('Updating config schema from config.d.ts...')", "reason": "Schema or ORM field definition", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|update-readme.js|20|console.log updating config schema from config.d.ts..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-readme.js"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5245, "scanner": "repobility-threat-engine", "fingerprint": "8558a663b30ac6108a3a3df43c2771739162748d05402bf05045e80c5f48e7ba", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`Copied config.d.ts from ${src} to ${dst}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|roll.js|1|console.log copied config.d.ts from src to dst"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "roll.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oras-project/setup-oras` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 51060, "scanner": "repobility-supply-chain", "fingerprint": "f1f49729a265cbcd3dd87b214db128eb80eae10b61df36aaa9836771782f9553", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1f49729a265cbcd3dd87b214db128eb80eae10b61df36aaa9836771782f9553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/login` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 51059, "scanner": "repobility-supply-chain", "fingerprint": "34f668f5cbbb379992315362e93edc1c530345b9054f57a901681a511ac4c980", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34f668f5cbbb379992315362e93edc1c530345b9054f57a901681a511ac4c980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51058, "scanner": "repobility-supply-chain", "fingerprint": "cff5e591e0ee14ac306445a08f22433a6ab572a69a9d290f317d7cdbac96f81b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cff5e591e0ee14ac306445a08f22433a6ab572a69a9d290f317d7cdbac96f81b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51057, "scanner": "repobility-supply-chain", "fingerprint": "150ea609b749d4d584eaa62a7b76f24bb3289ede4026e21b86f1e2cabee44b02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|150ea609b749d4d584eaa62a7b76f24bb3289ede4026e21b86f1e2cabee44b02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51056, "scanner": "repobility-supply-chain", "fingerprint": "74e725211bfd387d8017c22983ffe2a10c8a2aea450a4b1406f4d3c9098ed2ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74e725211bfd387d8017c22983ffe2a10c8a2aea450a4b1406f4d3c9098ed2ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51055, "scanner": "repobility-supply-chain", "fingerprint": "6a7c6bba36a331176df71b37c06497b97bfd928fb8cfe04195ea8a01a67a832b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a7c6bba36a331176df71b37c06497b97bfd928fb8cfe04195ea8a01a67a832b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51054, "scanner": "repobility-supply-chain", "fingerprint": "f3552275735e5211ef842cdf8046a500d6469552284913d460046643cc73538e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3552275735e5211ef842cdf8046a500d6469552284913d460046643cc73538e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51053, "scanner": "repobility-supply-chain", "fingerprint": "d641c90a79d3e905902c8000f3e6824e22f142620d6b377cc17ac39197dab203", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d641c90a79d3e905902c8000f3e6824e22f142620d6b377cc17ac39197dab203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51052, "scanner": "repobility-supply-chain", "fingerprint": "f727cd2fe64005900a24c522c70edf1c7c566a0afa177a41492388ffa88ef7bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f727cd2fe64005900a24c522c70edf1c7c566a0afa177a41492388ffa88ef7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51051, "scanner": "repobility-supply-chain", "fingerprint": "531cb15ae85741b1e545102b3745014fb3d9e33bbb5db00027f0ad29796fd2a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|531cb15ae85741b1e545102b3745014fb3d9e33bbb5db00027f0ad29796fd2a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51050, "scanner": "repobility-supply-chain", "fingerprint": "46f4616859fb594962cc494df2407b3929215b1381902fc1973669fac4f2fea8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46f4616859fb594962cc494df2407b3929215b1381902fc1973669fac4f2fea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51049, "scanner": "repobility-supply-chain", "fingerprint": "eda72ccc3387d4496c7895a1073c53ef0a5d437e8625693039df6c12f9403cda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eda72ccc3387d4496c7895a1073c53ef0a5d437e8625693039df6c12f9403cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51048, "scanner": "repobility-supply-chain", "fingerprint": "b86af46d5179250ed3c36c0390a9ecda961acc3a45e085161bd67dfddc500142", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b86af46d5179250ed3c36c0390a9ecda961acc3a45e085161bd67dfddc500142"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 51047, "scanner": "repobility-supply-chain", "fingerprint": "714a2b6daed27aee23b95891ec7e24e102aa26b23230dd0cac31872d99fd1120", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|714a2b6daed27aee23b95891ec7e24e102aa26b23230dd0cac31872d99fd1120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 51046, "scanner": "repobility-supply-chain", "fingerprint": "ecd10b49fb68f9b63b5843bde241d8fbf3486891f3c1fca862756a17fc8a488a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecd10b49fb68f9b63b5843bde241d8fbf3486891f3c1fca862756a17fc8a488a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 8}}}]}]}]}