{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 10 more): Same pattern found in 10 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRM) in source: Line 256 contains a Unicode bidirectional override character (U", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 256 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diff"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/907"}, "properties": {"repository": "marktext/marktext", "repoUrl": "https://github.com/marktext/marktext", "branch": "develop"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 84872, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 84843, "scanner": "repobility-threat-engine", "fingerprint": "d72fb1de9fbe01de8fd4a2c55871e011db4e800a4f673f9c6cacae18f2c6413b", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(href, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|70|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/examples/src/main.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 84842, "scanner": "repobility-threat-engine", "fingerprint": "aa3cf9c04105e2d6c48cfa25fee4a94cca693257b4386bb7ac0107a70d0b6ac1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'foo bar'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa3cf9c04105e2d6c48cfa25fee4a94cca693257b4386bb7ac0107a70d0b6ac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/examples/src/main.ts"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 84841, "scanner": "repobility-threat-engine", "fingerprint": "e5a36c10014203539487e8f8264406312b63686ffeb1afd06092b52717a17eeb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'foo bar'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5a36c10014203539487e8f8264406312b63686ffeb1afd06092b52717a17eeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/examples/src/data.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 84840, "scanner": "repobility-threat-engine", "fingerprint": "a89da1e4648bd38e5f0749ed36e590fcde0401fd849caa961dc88db2ff31d22a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'foo bar'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a89da1e4648bd38e5f0749ed36e590fcde0401fd849caa961dc88db2ff31d22a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/docs/jsonState.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84817, "scanner": "repobility-threat-engine", "fingerprint": "e2aa876d731c10535fe5ba639e695f950e0137987dd12a45d0d54d98eb657d91", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|79|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/index.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84816, "scanner": "repobility-threat-engine", "fingerprint": "a5f84437259ed8f83fa372743ad3a57a1dbba30ed1370dc9cc26a1a644b9e77a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/codeMirror/mltiplexMode.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84815, "scanner": "repobility-threat-engine", "fingerprint": "fbeac8ad2e70a2a2bdcc920ce7331d4fd97e3ccf2ec7b5dab9020413650e50f6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|94|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/ipc/uploader.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de9cec990d65e5f63884d9ae3c217efa7d2bdd95b2f2ab968ce7c49dd9b4bf01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/renderer/src/util/dompurify.ts", "duplicate_line": 2, "correlation_key": "fp|de9cec990d65e5f63884d9ae3c217efa7d2bdd95b2f2ab968ce7c49dd9b4bf01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muyajs/lib/config/index.js"}, "region": {"startLine": 348}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5472dafcfa344877f5ecedfc8b34e13c8783ac36a191670b88f86c7c320f0d2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/config/index.ts", "duplicate_line": 189, "correlation_key": "fp|5472dafcfa344877f5ecedfc8b34e13c8783ac36a191670b88f86c7c320f0d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muyajs/lib/config/index.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "921d30eb3dfe6cb573c66b97c82d103aaed2348211e306a8afff56fd7fcca945", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/ui/previewToolBar/index.ts", "duplicate_line": 86, "correlation_key": "fp|921d30eb3dfe6cb573c66b97c82d103aaed2348211e306a8afff56fd7fcca945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/ui/tableColumnToolbar/index.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84868, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1b870fb30637ab81a4e9bf7fbc34bb229e5826a691404d0a43ff3a4f0fbfa67", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/ui/imageToolbar/index.ts", "duplicate_line": 62, "correlation_key": "fp|a1b870fb30637ab81a4e9bf7fbc34bb229e5826a691404d0a43ff3a4f0fbfa67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/ui/tableColumnToolbar/index.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84867, "scanner": "repobility-ai-code-hygiene", "fingerprint": "965f010566cadd487618971b9276b2a101c79bd999ce4d1880219ce1d9c6aa1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/ui/imageToolbar/index.ts", "duplicate_line": 63, "correlation_key": "fp|965f010566cadd487618971b9276b2a101c79bd999ce4d1880219ce1d9c6aa1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/ui/previewToolBar/index.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84866, "scanner": "repobility-ai-code-hygiene", "fingerprint": "51b2e81ed3bb7494b3c5cc7eac671c8c84b671e2b4f4754a795098fa1c5cc2d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/ui/imageToolbar/index.ts", "duplicate_line": 65, "correlation_key": "fp|51b2e81ed3bb7494b3c5cc7eac671c8c84b671e2b4f4754a795098fa1c5cc2d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/ui/linkTools/index.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84865, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e6c8b710619fc84fb5adb29f985e63557e22fc0ce1241d72a534d837c04e757", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/inlineRenderer/renderer/autoLink.ts", "duplicate_line": 11, "correlation_key": "fp|5e6c8b710619fc84fb5adb29f985e63557e22fc0ce1241d72a534d837c04e757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/renderer/superSubScript.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84864, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acda92b3b835a291e49eaac07e55fca9b25dd3a8ce5f004eb16adcfa3f67af51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/inlineRenderer/renderer/inlineCode.ts", "duplicate_line": 13, "correlation_key": "fp|acda92b3b835a291e49eaac07e55fca9b25dd3a8ce5f004eb16adcfa3f67af51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/renderer/superSubScript.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84863, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd83cd5ccb4eb7268bf0e4f44e2f2a5b236ef2a91cb6bb1a24bca5b411fad3be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/inlineRenderer/renderer/autoLink.ts", "duplicate_line": 12, "correlation_key": "fp|fd83cd5ccb4eb7268bf0e4f44e2f2a5b236ef2a91cb6bb1a24bca5b411fad3be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/renderer/inlineMath.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84862, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70190f95f9eed5734343a87f009d451961fcc69c46cca5b5a4dc5a71ecee0af7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/inlineRenderer/renderer/autoLink.ts", "duplicate_line": 11, "correlation_key": "fp|70190f95f9eed5734343a87f009d451961fcc69c46cca5b5a4dc5a71ecee0af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/renderer/inlineCode.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84861, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ce0625e79dbb25138b01b69df10e6554ea72d58e55b42d1d56d8a2032c5f27b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/block/commonMark/codeBlock/index.ts", "duplicate_line": 46, "correlation_key": "fp|6ce0625e79dbb25138b01b69df10e6554ea72d58e55b42d1d56d8a2032c5f27b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/extra/frontmatter/index.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84860, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c544d61e845d5bae3f7b67f5c293bf4aa36d8909c06ef74dc955d8b40c258f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/block/content/atxHeadingContent/index.ts", "duplicate_line": 29, "correlation_key": "fp|1c544d61e845d5bae3f7b67f5c293bf4aa36d8909c06ef74dc955d8b40c258f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/content/setextHeadingContent/index.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84859, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6dc28e557705f695086d30efecfe717274fd5921aa77e5869ca780df959df57a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/muya/src/block/base/content.ts", "duplicate_line": 324, "correlation_key": "fp|6dc28e557705f695086d30efecfe717274fd5921aa77e5869ca780df959df57a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/content/paragraphContent/index.ts"}, "region": {"startLine": 578}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84858, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d49e5d0d9c1623aedca6bff0733f961097d775acd8bdb81b7d6f72249456c8b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/renderer/src/components/commandPalette/index.vue", "duplicate_line": 309, "correlation_key": "fp|d49e5d0d9c1623aedca6bff0733f961097d775acd8bdb81b7d6f72249456c8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/prefComponents/keybindings/key-input-dialog.vue"}, "region": {"startLine": 153}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da1aedcf527ae2074f9c859dd264a0e7cccb64a0e45ad3de4454da6a8f67a6bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/renderer/src/components/titleBar/index.vue", "duplicate_line": 86, "correlation_key": "fp|da1aedcf527ae2074f9c859dd264a0e7cccb64a0e45ad3de4454da6a8f67a6bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/prefComponents/common/titlebar.vue"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05c38d8c1d0e42f1f26d7d0a4b90af0b1f8fe72d0b1f9e238aaf37afa66b3efe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/renderer/src/prefComponents/common/bool/index.vue", "duplicate_line": 4, "correlation_key": "fp|05c38d8c1d0e42f1f26d7d0a4b90af0b1f8fe72d0b1f9e238aaf37afa66b3efe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/prefComponents/common/textBox/index.vue"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4d911dc9f4741d006aaeb1a82f2214f15c8d7513485b15aa657c9a2a2fc559f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/renderer/src/prefComponents/common/range/index.vue", "duplicate_line": 54, "correlation_key": "fp|c4d911dc9f4741d006aaeb1a82f2214f15c8d7513485b15aa657c9a2a2fc559f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/prefComponents/common/select/index.vue"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84854, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6ea642f97813ec0cc04736e49748fdf9a9d54c7cfae6831cc1c24f74a7a8c89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/desktop/src/main/keyboard/keybindingsLinux.ts", "duplicate_line": 13, "correlation_key": "fp|e6ea642f97813ec0cc04736e49748fdf9a9d54c7cfae6831cc1c24f74a7a8c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/keyboard/keybindingsWindows.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 84830, "scanner": "repobility-threat-engine", "fingerprint": "32a603285c9747e6eeb9bc0f119b0144da9b1f03bd208c0083f8d9673d6f758e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|18|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/services/printService.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 84829, "scanner": "repobility-threat-engine", "fingerprint": "86ba76e430c48b6f1d9061bd2110a55794cbd4b5aaa0f3c43c30396010497e12", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = f", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|68|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/services/notification/index.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 84853, "scanner": "repobility-threat-engine", "fingerprint": "6857c1566d5bd240554629add4068ad32da64ff5907d32470010bb51818b911e", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|6857c1566d5bd240554629add4068ad32da64ff5907d32470010bb51818b911e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/thirdPartyChecker.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 84852, "scanner": "repobility-threat-engine", "fingerprint": "05f9192310424b66dc6cc730b29049702b93d3baf967eaca9fa8d1491754438e", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|05f9192310424b66dc6cc730b29049702b93d3baf967eaca9fa8d1491754438e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/postinstall.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 84851, "scanner": "repobility-threat-engine", "fingerprint": "32cf0571f9e2aa7062482a2347f4a00ec10f610b554e3fd94cd43728af925e2f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32cf0571f9e2aa7062482a2347f4a00ec10f610b554e3fd94cd43728af925e2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/components/docs/CommandPalette.tsx"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 84850, "scanner": "repobility-threat-engine", "fingerprint": "b1c097fb2e70e155ba16c90777d9671f443d0803c6d606c72497956de2e936b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1c097fb2e70e155ba16c90777d9671f443d0803c6d606c72497956de2e936b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/app/layout.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 84849, "scanner": "repobility-threat-engine", "fingerprint": "8decef083b49ae1e792dca39bcd3b82208d2121213d071aafba6a779d6633f53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8decef083b49ae1e792dca39bcd3b82208d2121213d071aafba6a779d6633f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/app/docs/[...slug]/page.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 84848, "scanner": "repobility-threat-engine", "fingerprint": "4596248da89f2a72f0f0f3bd5da9d60c436647746a0cc8edd79e08066e55d082", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4596248da89f2a72f0f0f3bd5da9d60c436647746a0cc8edd79e08066e55d082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/locales/fr.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 84847, "scanner": "repobility-threat-engine", "fingerprint": "cd8cbe2c854bcc5b1579c55d7afe91828b36a30c35ae12d17827e0aafdf8ae92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd8cbe2c854bcc5b1579c55d7afe91828b36a30c35ae12d17827e0aafdf8ae92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/config/escapeCharacter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 84839, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84834, "scanner": "repobility-threat-engine", "fingerprint": "9b2b7a4f34853b52f380e3ae998fd84128469acb707594d55e22992797ed66b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b2b7a4f34853b52f380e3ae998fd84128469acb707594d55e22992797ed66b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/renderer/autoLinkExtension.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84833, "scanner": "repobility-threat-engine", "fingerprint": "8712cb0998096ee65f17cc105363cbbca4be5e7346de3563ea5553589ad4bb2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8712cb0998096ee65f17cc105363cbbca4be5e7346de3563ea5553589ad4bb2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/examples/src/data.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84832, "scanner": "repobility-threat-engine", "fingerprint": "20bba4fcc65e0d9539762b3fef7609fbff90ee18f89505a2fdec0cc9c7edc10c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20bba4fcc65e0d9539762b3fef7609fbff90ee18f89505a2fdec0cc9c7edc10c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/store/notification.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 84831, "scanner": "repobility-threat-engine", "fingerprint": "568cfd5899a9fd29ed226bb717929018b7b72d27b549dbbdefc662850719f93d", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|568cfd5899a9fd29ed226bb717929018b7b72d27b549dbbdefc662850719f93d"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 84827, "scanner": "repobility-threat-engine", "fingerprint": "14787f68deb0032500fecf4ed282f9f5840d09cd1eb4acc1600f95cca2cb870b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14787f68deb0032500fecf4ed282f9f5840d09cd1eb4acc1600f95cca2cb870b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/menu/actions/view.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 84826, "scanner": "repobility-threat-engine", "fingerprint": "626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 84822, "scanner": "repobility-threat-engine", "fingerprint": "bc4fe1905face6abfbb1df553eea80cfb32ce77eb97423efe2e4a30a5efa5cba", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc4fe1905face6abfbb1df553eea80cfb32ce77eb97423efe2e4a30a5efa5cba"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 84818, "scanner": "repobility-threat-engine", "fingerprint": "e6f2b2e43438c0a72db7c4b00ebac5cca9defebed1ab82756cd4b4eaff0d5869", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e6f2b2e43438c0a72db7c4b00ebac5cca9defebed1ab82756cd4b4eaff0d5869"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 84814, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 84810, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 84806, "scanner": "repobility-threat-engine", "fingerprint": "a4abcac13e24ac13720b3aa5f409d45342c0c528a83f28208961789140fa5d9b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a4abcac13e24ac13720b3aa5f409d45342c0c528a83f28208961789140fa5d9b", "aggregated_count": 64}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 84805, "scanner": "repobility-threat-engine", "fingerprint": "64f79c83e2c361d20ae098c6dd56efd12bfebd8c75ce354b2aca54971ab3cc21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64f79c83e2c361d20ae098c6dd56efd12bfebd8c75ce354b2aca54971ab3cc21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/utils/index.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 84804, "scanner": "repobility-threat-engine", "fingerprint": "49440eccece595a290c06b01c0f80a13010fb81bab099a14d6f6e7967e382433", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49440eccece595a290c06b01c0f80a13010fb81bab099a14d6f6e7967e382433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/preferences/index.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 84803, "scanner": "repobility-threat-engine", "fingerprint": "973a95c6e95a6034aa0ac4bfca07e0d0847af053ee421180206ae59995564b32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|973a95c6e95a6034aa0ac4bfca07e0d0847af053ee421180206ae59995564b32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/editorBufferStore/index.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 84802, "scanner": "repobility-threat-engine", "fingerprint": "eb94df71b213fc0c8802f0032777f001f0b6623bd07da5dbd70741d4f26b344b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|224|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/editorBufferStore/index.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 84801, "scanner": "repobility-threat-engine", "fingerprint": "10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "aggregated_count": 11}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 84800, "scanner": "repobility-threat-engine", "fingerprint": "24bacf14e3121d65bc8159152ffe31cf4f9a96cae120eaf2385c7fb9d1fa707a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24bacf14e3121d65bc8159152ffe31cf4f9a96cae120eaf2385c7fb9d1fa707a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/filesystem/index.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 84799, "scanner": "repobility-threat-engine", "fingerprint": "773145cfc7e2d38a33218029e82230d3f349e1fc86ff21a9cc8bcb447960f1a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|773145cfc7e2d38a33218029e82230d3f349e1fc86ff21a9cc8bcb447960f1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/editorBufferStore/index.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 84798, "scanner": "repobility-threat-engine", "fingerprint": "ca1748c296266b68d02af93bd2c4f18869f57f94df72339adf1da831061610e1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca1748c296266b68d02af93bd2c4f18869f57f94df72339adf1da831061610e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/dataCenter/index.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 84797, "scanner": "repobility-threat-engine", "fingerprint": "99679f8a19e1cf6e4d7b0df33fcfd9753550cbcead7e998d91515db6f54a6ad0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|99679f8a19e1cf6e4d7b0df33fcfd9753550cbcead7e998d91515db6f54a6ad0", "aggregated_count": 16}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 84796, "scanner": "repobility-threat-engine", "fingerprint": "6e5d8a25c78063fca1d509733a151d5c9e2221ef8c5d247e3c5fe4011325c619", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e5d8a25c78063fca1d509733a151d5c9e2221ef8c5d247e3c5fe4011325c619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/editorBufferStore/index.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 84795, "scanner": "repobility-threat-engine", "fingerprint": "65108d8fd68de476d4a4b3b465730a763f05141d255d5c10d31a59f96f65e828", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65108d8fd68de476d4a4b3b465730a763f05141d255d5c10d31a59f96f65e828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/dataCenter/index.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 84794, "scanner": "repobility-threat-engine", "fingerprint": "0cb21ba0055dd0366b96d2bc62939b64010fd56cbf8e0e5d18af488a1b27a8fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0cb21ba0055dd0366b96d2bc62939b64010fd56cbf8e0e5d18af488a1b27a8fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/app/accessor.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 84793, "scanner": "repobility-threat-engine", "fingerprint": "fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "aggregated_count": 20}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 84792, "scanner": "repobility-threat-engine", "fingerprint": "1ba939455c39bdc430fdb4d95b4ebab8e05812f04549a2e8734c84450768515e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ba939455c39bdc430fdb4d95b4ebab8e05812f04549a2e8734c84450768515e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/editorBufferStore/index.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 84791, "scanner": "repobility-threat-engine", "fingerprint": "833d9b7f5ee545fd1ece931d54a0d1f39049114975f20ed16899a2aed95c10b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|833d9b7f5ee545fd1ece931d54a0d1f39049114975f20ed16899a2aed95c10b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/commands/index.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 84790, "scanner": "repobility-threat-engine", "fingerprint": "53cb4037c4501389be1ecfa816d674843dc85766c705ff9139f88547a73afc4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53cb4037c4501389be1ecfa816d674843dc85766c705ff9139f88547a73afc4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/common/i18n.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84899, "scanner": "repobility-supply-chain", "fingerprint": "ec59dca20b9a35fbafceb59f7e8bb194b5717ff6fb7d7902d852d8ac74470284", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec59dca20b9a35fbafceb59f7e8bb194b5717ff6fb7d7902d852d8ac74470284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84898, "scanner": "repobility-supply-chain", "fingerprint": "fd9e806dc4c23d9fbe911edfca8479f18d01c8a051e81c7edab95ef5796c3222", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd9e806dc4c23d9fbe911edfca8479f18d01c8a051e81c7edab95ef5796c3222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84897, "scanner": "repobility-supply-chain", "fingerprint": "33aab7828e242128f042b43858d3ee2bab61ca1e9168a683e9d2157971b43921", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33aab7828e242128f042b43858d3ee2bab61ca1e9168a683e9d2157971b43921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/muya-build.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84896, "scanner": "repobility-supply-chain", "fingerprint": "821aa74cba33034355c420dc8422c0e77d25e8d93dbc415d7071cc91b1750f55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|821aa74cba33034355c420dc8422c0e77d25e8d93dbc415d7071cc91b1750f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2.6.2`: `uses: softprops/action-gh-release@v2.6.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84895, "scanner": "repobility-supply-chain", "fingerprint": "51fb453a98d27b90d3d77a4833143f0063c2b6c90bac9680500732042d6eac84", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51fb453a98d27b90d3d77a4833143f0063c2b6c90bac9680500732042d6eac84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4.3.0`: `uses: actions/download-artifact@v4.3.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84894, "scanner": "repobility-supply-chain", "fingerprint": "31eb61e526b921ef9799cdde2128b50bd58f8fc38202422334afe1f6c959370f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31eb61e526b921ef9799cdde2128b50bd58f8fc38202422334afe1f6c959370f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4.6.2`: `uses: actions/upload-artifact@v4.6.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84893, "scanner": "repobility-supply-chain", "fingerprint": "8eaec8ca79e7700174f6ff09e0699709bcbbe942555a1f457ed54ce80c657247", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8eaec8ca79e7700174f6ff09e0699709bcbbe942555a1f457ed54ce80c657247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4.3.0`: `uses: actions/cache@v4.3.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84892, "scanner": "repobility-supply-chain", "fingerprint": "9ecd32314cc8fa3a1176d1d03b6367274e19305e002be9a9ecf107266398ae44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ecd32314cc8fa3a1176d1d03b6367274e19305e002be9a9ecf107266398ae44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5.6.0`: `uses: actions/setup-python@v5.6.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84891, "scanner": "repobility-supply-chain", "fingerprint": "59a5c777f7eccb89a2d9f12145f9b7b07a60ff7f53fb6d36495ff6981e2eee16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59a5c777f7eccb89a2d9f12145f9b7b07a60ff7f53fb6d36495ff6981e2eee16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4.3.1`: `uses: actions/checkout@v4.3.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84890, "scanner": "repobility-supply-chain", "fingerprint": "fb3e01596d587583dfa328ddbc48fb4336adf82224835a7b3a7deeba78a8a99b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb3e01596d587583dfa328ddbc48fb4336adf82224835a7b3a7deeba78a8a99b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84889, "scanner": "repobility-supply-chain", "fingerprint": "6ffaf7c6c48d40d71c03aad49772cc14cc40172d146fbe8d0feeaeead9ab4cdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ffaf7c6c48d40d71c03aad49772cc14cc40172d146fbe8d0feeaeead9ab4cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/muya-test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84888, "scanner": "repobility-supply-chain", "fingerprint": "534bd4586162f31f2808b5844fed0a67cc530127c2f83e762984a3c5125d5aaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|534bd4586162f31f2808b5844fed0a67cc530127c2f83e762984a3c5125d5aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84887, "scanner": "repobility-supply-chain", "fingerprint": "05635b012c9f3f966fce7c489beb55ce18ad0c874db4d97519baacd04967c63d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05635b012c9f3f966fce7c489beb55ce18ad0c874db4d97519baacd04967c63d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84886, "scanner": "repobility-supply-chain", "fingerprint": "54031c0e8d34722f28ebcc371d247313ea6da2414474f8d8b101110f63b46b69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54031c0e8d34722f28ebcc371d247313ea6da2414474f8d8b101110f63b46b69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/muya-spec.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84885, "scanner": "repobility-supply-chain", "fingerprint": "72ce326e6007a648a2794f562d004c1df2c41d7aa5eee70cbebb0b83c6a5767b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72ce326e6007a648a2794f562d004c1df2c41d7aa5eee70cbebb0b83c6a5767b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-licenses.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84882, "scanner": "repobility-supply-chain", "fingerprint": "1da7440f01d9d5538dc2bbaf6ddba01e6f7cd03faff6380e89a6f9b476b914b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1da7440f01d9d5538dc2bbaf6ddba01e6f7cd03faff6380e89a6f9b476b914b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84881, "scanner": "repobility-supply-chain", "fingerprint": "45e98d05e6e0aa641e216f83f88d63d7b16cf8e9b83d11d499c74e14e73b4076", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45e98d05e6e0aa641e216f83f88d63d7b16cf8e9b83d11d499c74e14e73b4076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84880, "scanner": "repobility-supply-chain", "fingerprint": "eb1696d06f82c81bfa5342daf6c4a2afd16b0e16467b5947481089cdd43ebf13", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb1696d06f82c81bfa5342daf6c4a2afd16b0e16467b5947481089cdd43ebf13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84879, "scanner": "repobility-supply-chain", "fingerprint": "578ded97d6030e5c1e630600cd47e1a8a66207bf2517b0d9c13219781743385e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|578ded97d6030e5c1e630600cd47e1a8a66207bf2517b0d9c13219781743385e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84878, "scanner": "repobility-supply-chain", "fingerprint": "13f9c2e5b3a346bf44ecd09b03f9e386aaf0559b3b8f92fd481bd3f783d004c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13f9c2e5b3a346bf44ecd09b03f9e386aaf0559b3b8f92fd481bd3f783d004c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84877, "scanner": "repobility-supply-chain", "fingerprint": "f7747b25e2b7e256e84b16b5fa511c61d79c7580335c98aa46bd450088ba83ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7747b25e2b7e256e84b16b5fa511c61d79c7580335c98aa46bd450088ba83ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84876, "scanner": "repobility-supply-chain", "fingerprint": "416e36a48adcc7202bef90ca01b0f209f810c8b20dd7fd3379b04acc48f0499c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|416e36a48adcc7202bef90ca01b0f209f810c8b20dd7fd3379b04acc48f0499c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/muya-circular.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84875, "scanner": "repobility-supply-chain", "fingerprint": "03356cdb5903e89ce3fe4bd8a98c67f416da16b6638fa1639745abfc806a7a94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03356cdb5903e89ce3fe4bd8a98c67f416da16b6638fa1639745abfc806a7a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/muya-lint.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84874, "scanner": "repobility-supply-chain", "fingerprint": "b8cc7e3554be2e443cb8b51d991ab58a8dbeae861967079ba0023bb5c253b19b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8cc7e3554be2e443cb8b51d991ab58a8dbeae861967079ba0023bb5c253b19b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84873, "scanner": "repobility-supply-chain", "fingerprint": "45b6366e53fd08fa62cebc2921df9200f129e3f546b038d4c931fb734918f2c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45b6366e53fd08fa62cebc2921df9200f129e3f546b038d4c931fb734918f2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 84846, "scanner": "repobility-threat-engine", "fingerprint": "33aff155264e141bd417c76d2c743f356c0473c21aa0e7d6ccac6f935cf6bd07", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|33aff155264e141bd417c76d2c743f356c0473c21aa0e7d6ccac6f935cf6bd07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/state/htmlToMarkdown.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 84845, "scanner": "repobility-threat-engine", "fingerprint": "246f20910e9e0905a547ad03373d01db66a62b745eb2394c76d3ceff092f7ad7", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|246f20910e9e0905a547ad03373d01db66a62b745eb2394c76d3ceff092f7ad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/utils.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 84844, "scanner": "repobility-threat-engine", "fingerprint": "f71bd315520df67d729c8193243d3b90ca8b623ca21767c2f5258fbac75d3b89", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f71bd315520df67d729c8193243d3b90ca8b623ca21767c2f5258fbac75d3b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/commonMark/html/htmlPreview.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 84838, "scanner": "repobility-threat-engine", "fingerprint": "866fa0f109a346a30adc22f616ce81691b9b534cd7143eac73b5e53400913239", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<div class=\"mu-math-error\">&lt; ${i18n.t(\n                    'Invalid Mathematical Fo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|866fa0f109a346a30adc22f616ce81691b9b534cd7143eac73b5e53400913239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/extra/math/mathPreview.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 84837, "scanner": "repobility-threat-engine", "fingerprint": "95c9c5024fe43dd39abfa726a37f16a817bc7a7f8729ca02ce900abf07f250b4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<div class=\"mu-diagram-error\">&lt; ${i18n.t(\n                    'Invalid Diagram Code", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95c9c5024fe43dd39abfa726a37f16a817bc7a7f8729ca02ce900abf07f250b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/extra/diagram/diagramPreview.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 84836, "scanner": "repobility-threat-engine", "fingerprint": "e281497effada54e84ac95a834164229d481727823dbfe0bae5ebfef841190e8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `${scrollbarStyle}\nspan code,\ntd code,\nth code,\ncode,\ncode[class*=\"language-\"],\n.CodeMi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e281497effada54e84ac95a834164229d481727823dbfe0bae5ebfef841190e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/util/theme.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 84835, "scanner": "repobility-threat-engine", "fingerprint": "efd55b8a89cc83360998d636c7774fb5bc1ca8a69aee1e3f70317a8fd3dcc542", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efd55b8a89cc83360998d636c7774fb5bc1ca8a69aee1e3f70317a8fd3dcc542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/util/fileSystem.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 84828, "scanner": "repobility-threat-engine", "fingerprint": "53a9736b8763c497a50b40c5aa0f86b0a8956d8d55a8f9e8dfb4312b8c5e4317", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|31|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/content/langInputContent/index.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84825, "scanner": "repobility-threat-engine", "fingerprint": "7ee1aa023afc9fb1c34f871987439a3b5025eb3ca99a9fcd9bab08df97fdb66d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.store.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ee1aa023afc9fb1c34f871987439a3b5025eb3ca99a9fcd9bab08df97fdb66d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/preferences/index.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84824, "scanner": "repobility-threat-engine", "fingerprint": "5cc0216162d5db0fd38a188b5d217bd6ff02fd74c98f1b2413aa7599310029ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "actions.save(browserWindow as BrowserWindow | undefined)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5cc0216162d5db0fd38a188b5d217bd6ff02fd74c98f1b2413aa7599310029ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/menu/templates/file.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84823, "scanner": "repobility-threat-engine", "fingerprint": "cbad7e78eb5a5217f5b88403943eb1dadda4cd6698ccb95e85ea51462c896b44", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "popups.delete(win.id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cbad7e78eb5a5217f5b88403943eb1dadda4cd6698ccb95e85ea51462c896b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/ipc/window.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 84821, "scanner": "repobility-threat-engine", "fingerprint": "cab434c47f4f949a432f708fb2684540cf6bd81ec83d7327e59e171118f877fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cab434c47f4f949a432f708fb2684540cf6bd81ec83d7327e59e171118f877fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/inlineRenderer/index.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 84820, "scanner": "repobility-threat-engine", "fingerprint": "a6c1eae6d543d0dcc163768e817fcb4e8f9a33d9a18a31d2b4fcc796a5e69abc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(from", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6c1eae6d543d0dcc163768e817fcb4e8f9a33d9a18a31d2b4fcc796a5e69abc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/codeMirror/mltiplexMode.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 84819, "scanner": "repobility-threat-engine", "fingerprint": "e0b6a62dc0ab9bfb4a243cfeebcac0902657092c5eacb7684e308ad9139d3920", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n      `${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0b6a62dc0ab9bfb4a243cfeebcac0902657092c5eacb7684e308ad9139d3920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/ipc/uploader.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 84813, "scanner": "repobility-threat-engine", "fingerprint": "0a844e8d75deb3c70a74aff0d0afd1251926b4ff039063d941d8061354afb227", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(MARKER_HASH", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a844e8d75deb3c70a74aff0d0afd1251926b4ff039063d941d8061354afb227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/block/content/langInputContent/escape.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 84812, "scanner": "repobility-threat-engine", "fingerprint": "c41ddd39af19d021e04e0852db9b397f4e83556301bc9f1af662c1cf3a1c7f38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n        query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c41ddd39af19d021e04e0852db9b397f4e83556301bc9f1af662c1cf3a1c7f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/renderer/src/commands/quickOpen.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 84811, "scanner": "repobility-threat-engine", "fingerprint": "535d5966832eae1310787db811e1557f3459db39e0f83dfc7094c149a75a0875", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|535d5966832eae1310787db811e1557f3459db39e0f83dfc7094c149a75a0875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/ipc/shell.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84809, "scanner": "repobility-threat-engine", "fingerprint": "5eb2aa2db05eb3b1220e5c0352e6881f0eff33cb8c54dbfc9fd585a4e064302b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5eb2aa2db05eb3b1220e5c0352e6881f0eff33cb8c54dbfc9fd585a4e064302b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/windows/base.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84808, "scanner": "repobility-threat-engine", "fingerprint": "fbc91b074b6a28842b577ea37101c3e53ad168b7480853485648f0f62a1498a0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbc91b074b6a28842b577ea37101c3e53ad168b7480853485648f0f62a1498a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/utils/createGitHubIssue.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84807, "scanner": "repobility-threat-engine", "fingerprint": "bf1ddf9524cd2f6877644c7a93e0b4e84bc3724b6e23626e134ca6821d3241ff", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n          i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf1ddf9524cd2f6877644c7a93e0b4e84bc3724b6e23626e134ca6821d3241ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/exceptionHandler.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 256 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 84900, "scanner": "repobility-supply-chain", "fingerprint": "3a3fd6ae2890acd4abba622533a7e8fb090623ff147fa043e4ccdf3b13155997", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 2, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["3a3fd6ae2890acd4abba622533a7e8fb090623ff147fa043e4ccdf3b13155997", "9c62209c270a2388605411c2967fdec75c5478576919409e922695f9a7fe4397", "d2c86724e8ed63ebc10aa13b6ea64043897563546deead30e47c26bb532a63b4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/muya/src/config/escapeCharacter.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84884, "scanner": "repobility-supply-chain", "fingerprint": "1660caa2f3400bf791515320e2341bf6446caf1602353000e279f67e8b326494", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1660caa2f3400bf791515320e2341bf6446caf1602353000e279f67e8b326494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84883, "scanner": "repobility-supply-chain", "fingerprint": "1f7feb73d102e7c7a32c770fc06915278db3e87b9662d8d61339f7df631fd7d7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f7feb73d102e7c7a32c770fc06915278db3e87b9662d8d61339f7df631fd7d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 29}}}]}]}]}