{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "Replace full-site blocking with specific private path disallows, or add explicit Allow rules for public docs and landing pages."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `wekan` image has no explicit tag", "shortDescription": {"text": "Compose service `wekan` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `wekan` image uses the latest tag", "shortDescription": {"text": "Compose service `wekan` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT005", "name": "Calendar/event date parsing can crash on malformed persisted data", "shortDescription": {"text": "Calendar/event date parsing can crash on malformed persisted data"}, "fullDescription": {"text": "Parse event dates through a safe helper that returns null for invalid input, filter invalid events before render, and surface data-repair guidance instead of throwing during render."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` reso", "shortDescription": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-file"}, "fullDescription": {"text": "Replace with: `uses: softprops/action-gh-release@<40-char-sha>  # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:..", "shortDescription": {"text": "[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline a"}, "fullDescription": {"text": "Replace with `mongo:7@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.", "shortDescription": {"text": "[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first"}, "fullDescription": {"text": "Initialize `self.summary = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC009", "name": "Compose service bind-mounts a sensitive host path", "shortDescription": {"text": "Compose service bind-mounts a sensitive host path"}, "fullDescription": {"text": "Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRM) in source: Line 150 contains a Unicode bidirectional override character (U", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 150 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diff"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. T", "shortDescription": {"text": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import enum` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKR005", "name": "Docker image bakes a secret-like ENV value", "shortDescription": {"text": "Docker image bakes a secret-like ENV value"}, "fullDescription": {"text": "Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/563"}, "properties": {"repository": "wekan/wekan", "repoUrl": "https://github.com/wekan/wekan.git", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 38769, "scanner": "repobility-ast-engine", "fingerprint": "c0af5b310431f44dd1e2caba9189ebf22f73f5045a6b559ee6c2194a80ba9a2a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0af5b310431f44dd1e2caba9189ebf22f73f5045a6b559ee6c2194a80ba9a2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 811}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 38742, "scanner": "repobility-ast-engine", "fingerprint": "fa4c7c5c69640f960a27993ca5c244f8f6ebd1c6ccde9daca2e011acfa6b8d19", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa4c7c5c69640f960a27993ca5c244f8f6ebd1c6ccde9daca2e011acfa6b8d19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api.py"}, "region": {"startLine": 785}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 38741, "scanner": "repobility-ast-engine", "fingerprint": "38d7ac40e672e7790334bfcf7aa4ccad9dc6bfc42e684f054a7dc2e2a6cfe2f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|38d7ac40e672e7790334bfcf7aa4ccad9dc6bfc42e684f054a7dc2e2a6cfe2f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 38740, "scanner": "repobility-ast-engine", "fingerprint": "103d81e8acaa0f9858c1cd7531ef5846177f5f4d0981d91f5f0123123c25f04e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|103d81e8acaa0f9858c1cd7531ef5846177f5f4d0981d91f5f0123123c25f04e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 38739, "scanner": "repobility-ast-engine", "fingerprint": "00514288710ab3b8104b1aafd782e7152f9c051b00757228aa71ab02c4ec4e38", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00514288710ab3b8104b1aafd782e7152f9c051b00757228aa71ab02c4ec4e38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 38738, "scanner": "repobility-web-presence", "fingerprint": "2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 38736, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 38735, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 38731, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `wekan` image has no explicit tag"}, "properties": {"repobilityId": 38726, "scanner": "repobility-docker", "fingerprint": "a262a6f8eafd106a96f8131905811cba605215d4488db35ed69ba85f64c2348b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/wekan/wekan", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a262a6f8eafd106a96f8131905811cba605215d4488db35ed69ba85f64c2348b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 38725, "scanner": "repobility-docker", "fingerprint": "b833eeffe04ad613a450fcb050b5495a6af508b8d6a871bcccdee915824ca775", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b833eeffe04ad613a450fcb050b5495a6af508b8d6a871bcccdee915824ca775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 709}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 38722, "scanner": "repobility-docker", "fingerprint": "1fbfb7179b6b5f9a4d2888d8564e85cb8b80783e163d75ebd018eace50f072d1", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1fbfb7179b6b5f9a4d2888d8564e85cb8b80783e163d75ebd018eace50f072d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `wekan` image uses the latest tag"}, "properties": {"repobilityId": 38712, "scanner": "repobility-docker", "fingerprint": "644dc44da32095ff76bf2d3b9f4f6ec3bf38152199d68a06ba3a2f546b83f658", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/wekan/wekan:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|644dc44da32095ff76bf2d3b9f4f6ec3bf38152199d68a06ba3a2f546b83f658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 38711, "scanner": "repobility-docker", "fingerprint": "3a39d3ce82f1e03c9bc2d99f6ac192b54c0ad63cdbc79f01203ef1567297918c", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "wekandb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3a39d3ce82f1e03c9bc2d99f6ac192b54c0ad63cdbc79f01203ef1567297918c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 38706, "scanner": "repobility-docker", "fingerprint": "3e3af7c3e4b233166f603ff812b3a1f455b48e3e9994ec1524b5f86e221c6d2c", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "wekandb-dev", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3e3af7c3e4b233166f603ff812b3a1f455b48e3e9994ec1524b5f86e221c6d2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 38705, "scanner": "repobility-docker", "fingerprint": "0e0e9baacd3c4895c04cfc414ba73acb3c97009da378285345ca4db5d0698d9b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./volumes/wekan-db", "target": "/data/db", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "wekandb-dev", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0e0e9baacd3c4895c04cfc414ba73acb3c97009da378285345ca4db5d0698d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT005", "level": "warning", "message": {"text": "Calendar/event date parsing can crash on malformed persisted data"}, "properties": {"repobilityId": 38700, "scanner": "repobility-agent-runtime", "fingerprint": "5f75ca771a2bfb8e0412cda5678e3a49ca9508a636e89627f87e0742fbbec857", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File parses startAt/endAt directly with new Date but does not show an isValid/isNaN/parseISO guard.", "evidence": {"rule_id": "AGT005", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|5f75ca771a2bfb8e0412cda5678e3a49ca9508a636e89627f87e0742fbbec857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/csvCreator.js"}, "region": {"startLine": 310}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38699, "scanner": "repobility-agent-runtime", "fingerprint": "701dd9b94709b0477e286e8e62eca743c785bb344b129536943e0c6135d39cc4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|701dd9b94709b0477e286e8e62eca743c785bb344b129536943e0c6135d39cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Platforms/FOSS/Source/Source.md"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38698, "scanner": "repobility-agent-runtime", "fingerprint": "8558f1a6be5071ccf9dc29168267ae54444015e6e67c7657abfd84ac8717b2b8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8558f1a6be5071ccf9dc29168267ae54444015e6e67c7657abfd84ac8717b2b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Platforms/FOSS/Source/Install-from-source-without-root.md"}, "region": {"startLine": 10}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38697, "scanner": "repobility-agent-runtime", "fingerprint": "e0107da24c4344ea4f5de24e6acfd20fe07a3aa7611614f136e00e7ef2467569", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e0107da24c4344ea4f5de24e6acfd20fe07a3aa7611614f136e00e7ef2467569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Platforms/FOSS/Sandstorm/Developing-Wekan-for-Sandstorm.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38696, "scanner": "repobility-agent-runtime", "fingerprint": "6d0853d0721a86397f012da53b3ef601675a29e43d5f870be40be9e8808aa434", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6d0853d0721a86397f012da53b3ef601675a29e43d5f870be40be9e8808aa434"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Platforms/FOSS/Sandstorm/Building-Wekan-for-Sandstorm.md"}, "region": {"startLine": 62}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38695, "scanner": "repobility-agent-runtime", "fingerprint": "c64dfb6004cde80aaef2eaac95652d9263ee84edfbcfef1aa6e091a2367af924", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c64dfb6004cde80aaef2eaac95652d9263ee84edfbcfef1aa6e091a2367af924"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/DeveloperDocs/Debugging.md"}, "region": {"startLine": 99}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38694, "scanner": "repobility-agent-runtime", "fingerprint": "46d103ffc5502de1d45030b9d6c6ad4c082d43dee4572c71a74c99b935ec4d84", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|46d103ffc5502de1d45030b9d6c6ad4c082d43dee4572c71a74c99b935ec4d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/FerretDB2-PostgreSQL.md"}, "region": {"startLine": 28}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 38693, "scanner": "repobility-agent-runtime", "fingerprint": "fc80b986941869e7f4090c788ec5e62cc724de419f2e33a51b44111c6dde6b7e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|fc80b986941869e7f4090c788ec5e62cc724de419f2e33a51b44111c6dde6b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/swimlanes/swimlanes.js"}, "region": {"startLine": 106}}}]}, {"ruleId": "AGT005", "level": "warning", "message": {"text": "Calendar/event date parsing can crash on malformed persisted data"}, "properties": {"repobilityId": 38692, "scanner": "repobility-agent-runtime", "fingerprint": "af329ebc4d7d7db187bcfae5cf669ef525420794d3c9ae4e7705b4c4f18d1852", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File parses startAt/endAt directly with new Date but does not show an isValid/isNaN/parseISO guard.", "evidence": {"rule_id": "AGT005", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|af329ebc4d7d7db187bcfae5cf669ef525420794d3c9ae4e7705b4c4f18d1852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/gantt/gantt.js"}, "region": {"startLine": 110}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38691, "scanner": "repobility-agent-runtime", "fingerprint": "007ff6397882a12c21b00bda6d4615469b7401757def9c7ac8acdd3ef1568d96", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|007ff6397882a12c21b00bda6d4615469b7401757def9c7ac8acdd3ef1568d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 127}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38690, "scanner": "repobility-agent-runtime", "fingerprint": "7e49748f9a355c89bb2258d1dcc9b318c759a7222ee487bafc6eb275e3dcbf01", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7e49748f9a355c89bb2258d1dcc9b318c759a7222ee487bafc6eb275e3dcbf01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".travis.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38689, "scanner": "repobility-agent-runtime", "fingerprint": "a7a61ad4fabe289d3ef8bda96fe12ef7c4d9a232173ebbf47d2b4b011e1f69e7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a7a61ad4fabe289d3ef8bda96fe12ef7c4d9a232173ebbf47d2b4b011e1f69e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 38688, "scanner": "repobility-agent-runtime", "fingerprint": "029a4e730104f012036555b0661d45042f96ec26cf0ed84aca75ab73a1659479", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|029a4e730104f012036555b0661d45042f96ec26cf0ed84aca75ab73a1659479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 38654, "scanner": "repobility-threat-engine", "fingerprint": "7e7c02fa51b7fe56efcdbcb16e4d8352440f79e015634fd27ebb8028265759d2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/models/activities.js|171|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/models/activities.js"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 38647, "scanner": "repobility-threat-engine", "fingerprint": "e50b3e1d922cc99a91063df8feb110fbe0ea4bfd88ebc0e8b30d459ce94d0f48", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(loginUrl, '_blank', 'location=no,hidden=no')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|65|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-accounts-cas/cas_client_cordova.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 38646, "scanner": "repobility-threat-engine", "fingerprint": "12abfb93ea99e18d8d55b61b886d71a9d53c0cc2b7061dc663deaef9a55f0ed5", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank', features)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|115|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-accounts-cas/cas_client.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 38645, "scanner": "repobility-threat-engine", "fingerprint": "2f6751cd6a406abe18e4dc2c41205b7d298793d7c7ca97c44fb18302a7106257", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "sessionId = `${String(Meteor.userId())}-${String(Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|models/usersessiondata.js|232|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/usersessiondata.js"}, "region": {"startLine": 232}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 38628, "scanner": "repobility-threat-engine", "fingerprint": "f3478b4c1b60c224fcab8184368d3fd6f2961d9a17db88282c80198056a69a59", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/asana/export_boards.pl"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 38627, "scanner": "repobility-threat-engine", "fingerprint": "aa4a48bf10d78ad581347f32580858c6b33366f4db8dc5cdf27a798e10fce9db", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = loginUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa4a48bf10d78ad581347f32580858c6b33366f4db8dc5cdf27a798e10fce9db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-accounts-cas/cas_client.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 38626, "scanner": "repobility-threat-engine", "fingerprint": "2f6eb57068f1095d1ef157ae7c1daa8e8385e72ada8452b05cae844160f0d8cc", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = oauthServerUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f6eb57068f1095d1ef157ae7c1daa8e8385e72ada8452b05cae844160f0d8cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/accounts.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 38616, "scanner": "repobility-threat-engine", "fingerprint": "dfb114e51322bf8985a5c217253e2f2fb662380c2a523ac8d076da6270ea4ef3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dfb114e51322bf8985a5c217253e2f2fb662380c2a523ac8d076da6270ea4ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/models/activities.js"}, "region": {"startLine": 313}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 38615, "scanner": "repobility-threat-engine", "fingerprint": "8f45f7bf608a616fa0aadc213723673bc5fc42a289c0c41db90f8f7e5d946352", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f45f7bf608a616fa0aadc213723673bc5fc42a289c0c41db90f8f7e5d946352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/unicode-icons.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 38614, "scanner": "repobility-threat-engine", "fingerprint": "5c2d8b149cd8a2e15dbad83926b00d80f54e81788cd6ca217ef7ae70f629bfe9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c2d8b149cd8a2e15dbad83926b00d80f54e81788cd6ca217ef7ae70f629bfe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/00-startup.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 38737, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 38734, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 38733, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 38732, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 38730, "scanner": "repobility-docker", "fingerprint": "d31ea59f9074e05297fcc6940ee8a540fb4778028a58187e71998a1fe3b9ae8d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "wekan", "dependency": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d31ea59f9074e05297fcc6940ee8a540fb4778028a58187e71998a1fe3b9ae8d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 38729, "scanner": "repobility-docker", "fingerprint": "065ff2a560fa73d83289c9e37abb2143776465c0eab488bf1ea1e89a92fc5ec6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|065ff2a560fa73d83289c9e37abb2143776465c0eab488bf1ea1e89a92fc5ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 38727, "scanner": "repobility-docker", "fingerprint": "c86de2cf526c147ce7571f34222d89d54351ab0899c813fd3deddeb8c3fc2246", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c86de2cf526c147ce7571f34222d89d54351ab0899c813fd3deddeb8c3fc2246"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 38715, "scanner": "repobility-docker", "fingerprint": "532b4c3549d936cfb2d7367e91157ebb2879291e5d9fc69bfca90747e81141fc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|532b4c3549d936cfb2d7367e91157ebb2879291e5d9fc69bfca90747e81141fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 38713, "scanner": "repobility-docker", "fingerprint": "fcb62079b3e2777ebd563dba40578d15ed0c61ffbdb011eb74004b8bd40b4a6d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fcb62079b3e2777ebd563dba40578d15ed0c61ffbdb011eb74004b8bd40b4a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 38709, "scanner": "repobility-docker", "fingerprint": "814727a5f79e3c7898825a8750cd289729ba6c3a90133616175c85b7e236b22e", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "wekan-dev", "dependency": "wekandb-dev", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|814727a5f79e3c7898825a8750cd289729ba6c3a90133616175c85b7e236b22e", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 38708, "scanner": "repobility-docker", "fingerprint": "2c76337f189677c5c97da8162c8c657eab38bf7465a7ccced27d80c15966f193", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wekan-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2c76337f189677c5c97da8162c8c657eab38bf7465a7ccced27d80c15966f193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 38702, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2bb4d7301280251029e3cabc5f1c56213c02c36a16ca26da31fff6688d325bfe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/exportExcelCard.js", "duplicate_line": 38, "correlation_key": "fp|2bb4d7301280251029e3cabc5f1c56213c02c36a16ca26da31fff6688d325bfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/exportPDF.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22a5d6dde51f5717a76269a20f07981eb74112dc98a1bcade9decc21796cd539", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/exportExcel.js", "duplicate_line": 26, "correlation_key": "fp|22a5d6dde51f5717a76269a20f07981eb74112dc98a1bcade9decc21796cd539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/exportPDF.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96fcceb78613980f487eafe82d040e5133e37784ad1811d2b2c16e95ab6a455a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/export.js", "duplicate_line": 157, "correlation_key": "fp|96fcceb78613980f487eafe82d040e5133e37784ad1811d2b2c16e95ab6a455a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/exportExcel.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "722f43b99fb768f101e9983ebbf8540abcd436b7895ec21eb19ae717d33f2803", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 18, "correlation_key": "fp|722f43b99fb768f101e9983ebbf8540abcd436b7895ec21eb19ae717d33f2803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/customFields.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5dbf02fc2d1675f878d0bc27caac54e0fb3d5d2cd46c1b644cafbc872b1dfa75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 22, "correlation_key": "fp|5dbf02fc2d1675f878d0bc27caac54e0fb3d5d2cd46c1b644cafbc872b1dfa75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/checklists.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb8384c0ee544409958694cb9792b2bf638a643d26b9c7dbb47d81e6aefd834c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/cardComments.js", "duplicate_line": 24, "correlation_key": "fp|fb8384c0ee544409958694cb9792b2bf638a643d26b9c7dbb47d81e6aefd834c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/checklists.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad58321e1eb181b8fad0c12f7ea3a6ce688034ecb56a00a305708fc77cc4e356", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/attachmentStorageSettings.js", "duplicate_line": 127, "correlation_key": "fp|ad58321e1eb181b8fad0c12f7ea3a6ce688034ecb56a00a305708fc77cc4e356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/checklists.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5ca2d3e502f06c761c314c5aa26a6275aadb7f873d22cb89889b26a044e2ccb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 18, "correlation_key": "fp|b5ca2d3e502f06c761c314c5aa26a6275aadb7f873d22cb89889b26a044e2ccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/checklistItems.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dfd94c03758c08cd553f1108f7e5dc5b7b51d7bba0cce7e0b06328965f9054f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 22, "correlation_key": "fp|dfd94c03758c08cd553f1108f7e5dc5b7b51d7bba0cce7e0b06328965f9054f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/cardComments.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8eaa73c35170b2285921491da490c1fe01a366e9fd5faa3ba2cf870ed28b36f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/attachmentStorageSettings.js", "duplicate_line": 127, "correlation_key": "fp|8eaa73c35170b2285921491da490c1fe01a366e9fd5faa3ba2cf870ed28b36f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/cardComments.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38677, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22dcf5817f1c0b9a696da3a95b6f80b27509b33b3ef6be2f45e010702c7044bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/attachments.js", "duplicate_line": 17, "correlation_key": "fp|22dcf5817f1c0b9a696da3a95b6f80b27509b33b3ef6be2f45e010702c7044bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/avatars.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38676, "scanner": "repobility-ai-code-hygiene", "fingerprint": "890b88ad3fd010c0114337363ec39ba86a713381fcaaec25306dc1588d494c3d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accountSettings.js", "duplicate_line": 12, "correlation_key": "fp|890b88ad3fd010c0114337363ec39ba86a713381fcaaec25306dc1588d494c3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/announcements.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38675, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fda6c8342306516d9a0e613491f42f5d04bf3dcd6871c4a8259bbaab599f2e8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 6, "correlation_key": "fp|fda6c8342306516d9a0e613491f42f5d04bf3dcd6871c4a8259bbaab599f2e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/announcements.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38674, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4da00673737ef13ab7897b1d4c90d8c5ee2c43502b1cd9c164c950ff41f215d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/accessibilitySettings.js", "duplicate_line": 18, "correlation_key": "fp|d4da00673737ef13ab7897b1d4c90d8c5ee2c43502b1cd9c164c950ff41f215d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/accountSettings.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38673, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91725b2e6a8d9f6bef300894275b28d7a98e717ac297f62e434d9d08aa1901bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/lib/secureDOMPurify.js", "duplicate_line": 5, "correlation_key": "fp|91725b2e6a8d9f6bef300894275b28d7a98e717ac297f62e434d9d08aa1901bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "imports/lib/secureDOMPurify.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38672, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a316d0a3f0fcb32b4ba16694f0f35c7c61750ddbc506942320426bc25e4e3583", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/cardCustomFields.js", "duplicate_line": 13, "correlation_key": "fp|a316d0a3f0fcb32b4ba16694f0f35c7c61750ddbc506942320426bc25e4e3583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/query-classes.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38671, "scanner": "repobility-ai-code-hygiene", "fingerprint": "069273a88997cabdc3635069f03492454ffee5e757efc7e4c5f36fa90ff980bb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/config/blazeHelpers.js", "duplicate_line": 11, "correlation_key": "fp|069273a88997cabdc3635069f03492454ffee5e757efc7e4c5f36fa90ff980bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/query-classes.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38670, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57d1545b8fbd02bce8cdbd04ee986f0b0c73b531966c0cc582c9b585f1929987", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/lib/dropImage.js", "duplicate_line": 38, "correlation_key": "fp|57d1545b8fbd02bce8cdbd04ee986f0b0c73b531966c0cc582c9b585f1929987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/lib/pasteImage.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38669, "scanner": "repobility-ai-code-hygiene", "fingerprint": "038b27c47800b71875992785fd7135011dd90aefc74c930f735a45c075c60346", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/cardCustomFields.js", "duplicate_line": 13, "correlation_key": "fp|038b27c47800b71875992785fd7135011dd90aefc74c930f735a45c075c60346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/lib/filter.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38668, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50bdc67590e6d4289055982631d703df35e62018d841431be235361cfce14fc9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/config/blazeHelpers.js", "duplicate_line": 11, "correlation_key": "fp|50bdc67590e6d4289055982631d703df35e62018d841431be235361cfce14fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/lib/filter.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38667, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e77df6f9fa9be30a205db687ec085e226600e1d13a60f887c679bba37786451", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/cardDate.js", "duplicate_line": 17, "correlation_key": "fp|6e77df6f9fa9be30a205db687ec085e226600e1d13a60f887c679bba37786451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/config/blazeHelpers.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38666, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dfd9c91569d2510ec8b14db893200d0359851504e958dc81869710e176b433d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/cardCustomFields.js", "duplicate_line": 13, "correlation_key": "fp|8dfd9c91569d2510ec8b14db893200d0359851504e958dc81869710e176b433d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/config/blazeHelpers.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38665, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25c7acd0daa7a95d617267d3b96864fdd24e242f3b496b0e0ab2f046a023d345", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/main/layouts.js", "duplicate_line": 191, "correlation_key": "fp|25c7acd0daa7a95d617267d3b96864fdd24e242f3b496b0e0ab2f046a023d345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/users/userHeader.js"}, "region": {"startLine": 264}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38664, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8ecc0ad4a000ff41de77d5c4f1bd7f34e2fd6a6c0f0c0ae64b2a9ae230c0678", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/lists/listHeader.js", "duplicate_line": 532, "correlation_key": "fp|c8ecc0ad4a000ff41de77d5c4f1bd7f34e2fd6a6c0f0c0ae64b2a9ae230c0678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/swimlanes/swimlanes.js"}, "region": {"startLine": 569}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38663, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65dad94901c09640fa18e002a6ec0a6d98be4957acb209851cd7ac9946517ba8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/lists/list.js", "duplicate_line": 359, "correlation_key": "fp|65dad94901c09640fa18e002a6ec0a6d98be4957acb209851cd7ac9946517ba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/swimlanes/swimlanes.js"}, "region": {"startLine": 412}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38662, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c56a6f13d29f4c5a33ed13740cb006681bced6ef3046c2aa6de13cbb9cd0227", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/lists/listBody.js", "duplicate_line": 576, "correlation_key": "fp|5c56a6f13d29f4c5a33ed13740cb006681bced6ef3046c2aa6de13cbb9cd0227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/swimlanes/swimlaneHeader.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38661, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58eb1c6b34f56213a0784668dc3d970bfb77dae68c7715fac766acf7ee1aa102", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/main/brokenCards.js", "duplicate_line": 23, "correlation_key": "fp|58eb1c6b34f56213a0784668dc3d970bfb77dae68c7715fac766acf7ee1aa102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/settings/adminReports.js"}, "region": {"startLine": 243}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38660, "scanner": "repobility-ai-code-hygiene", "fingerprint": "767e315478db4de2584052114a6afcaa3071b9966bd521a3823786396f4e2dee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/rules/actions/cardActions.js", "duplicate_line": 93, "correlation_key": "fp|767e315478db4de2584052114a6afcaa3071b9966bd521a3823786396f4e2dee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/rules/actions/checklistActions.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38659, "scanner": "repobility-ai-code-hygiene", "fingerprint": "828f7a37d7b4a5c64984b624f55f38e54fda1e5e40cfc14ed11293a06f71c495", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/checklists.js", "duplicate_line": 345, "correlation_key": "fp|828f7a37d7b4a5c64984b624f55f38e54fda1e5e40cfc14ed11293a06f71c495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/lists/listHeader.js"}, "region": {"startLine": 343}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 38658, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b2ca1f114a870f825c0ea1393059b845a114c5c2bedb56058a705de901f0be8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/components/cards/cardCustomFields.js", "duplicate_line": 9, "correlation_key": "fp|2b2ca1f114a870f825c0ea1393059b845a114c5c2bedb56058a705de901f0be8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/cards/cardDate.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 38636, "scanner": "repobility-threat-engine", "fingerprint": "aa1c16eb7b6337a4245f71c2080a6f81a46af8008febcdb756f9ed51f708d764", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Template[' + nameLiteral + '] = new Template('", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa1c16eb7b6337a4245f71c2080a6f81a46af8008febcdb756f9ed51f708d764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm-packages/meteor-jade-loader/index.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 38635, "scanner": "repobility-threat-engine", "fingerprint": "7f5f1f21f0c4ce936072662d74860f6f71ae368cb9b025df4f73b34b685e2017", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'IpAddress: ' +\n            ipAddress +\n            ' is not authorized to perform this action !!\\n'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f5f1f21f0c4ce936072662d74860f6f71ae368cb9b025df4f73b34b685e2017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/server/metrics.js"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 38634, "scanner": "repobility-threat-engine", "fingerprint": "7a4321ce65bc6a4615daf9dfa94707487975e13ebc2523cc2e59266c36202843", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "print(\"filename: \" + local_filename + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a4321ce65bc6a4615daf9dfa94707487975e13ebc2523cc2e59266c36202843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/trello/api.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 38625, "scanner": "repobility-threat-engine", "fingerprint": "c6c0c857b85b147534f1bb1c7bcf3824a5eaacfb0773d31706675bedb53ec24e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = e", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|config/accounts.js|120|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/accounts.js"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 38652, "scanner": "repobility-threat-engine", "fingerprint": "d67ce05885507e1118076db521ff8ddaa4d9095ea4869d6487fdda11ee167b72", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d67ce05885507e1118076db521ff8ddaa4d9095ea4869d6487fdda11ee167b72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-fullcalendar/fullcalendar/locale/vi.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 38651, "scanner": "repobility-threat-engine", "fingerprint": "110f34e190e6c0e6258f231ea1abdb6291032d15e42761b0111c86dbc79f947e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|110f34e190e6c0e6258f231ea1abdb6291032d15e42761b0111c86dbc79f947e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-fullcalendar/fullcalendar/locale/ro.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 38650, "scanner": "repobility-threat-engine", "fingerprint": "2b665fe3fd4c248bbaaccd819f788da6796c311f9f3604f01544ababa6685461", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b665fe3fd4c248bbaaccd819f788da6796c311f9f3604f01544ababa6685461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-fullcalendar/fullcalendar/locale/is.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 38648, "scanner": "repobility-threat-engine", "fingerprint": "aeddf9be9f09cc6a9819d208d726514d6042190d7377d839ca48759379930457", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aeddf9be9f09cc6a9819d208d726514d6042190d7377d839ca48759379930457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-accounts-cas/cas_client.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 38644, "scanner": "repobility-threat-engine", "fingerprint": "33d6c922750887b88546b8718972aefca93f092097f1c80ab1e12676f78ef7a6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33d6c922750887b88546b8718972aefca93f092097f1c80ab1e12676f78ef7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stacksmith/user-scripts/build.sh"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 38643, "scanner": "repobility-threat-engine", "fingerprint": "37a2fe4e8748bfd3af381e3cc62bee88083fb54c0eedc29230147b6f591d1954", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37a2fe4e8748bfd3af381e3cc62bee88083fb54c0eedc29230147b6f591d1954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/authentication.js"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 38642, "scanner": "repobility-threat-engine", "fingerprint": "ea3d453b8e453f4cf6d20e7eb55c1bd1ce23d48c6c3f0ca7b84066bc353b0964", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea3d453b8e453f4cf6d20e7eb55c1bd1ce23d48c6c3f0ca7b84066bc353b0964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Webserver/nginx/nginx.conf"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 38639, "scanner": "repobility-threat-engine", "fingerprint": "50663969c525c41609a4038b488b46b7ce6bc0150d8199bca86621d151562ec9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50663969c525c41609a4038b488b46b7ce6bc0150d8199bca86621d151562ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/trello/api.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 38638, "scanner": "repobility-threat-engine", "fingerprint": "8b87661272ac17fa80f6ee0907e981ecba10c13f3a6ca6e9072de89981aae940", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b87661272ac17fa80f6ee0907e981ecba10c13f3a6ca6e9072de89981aae940"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/trello/api.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 38637, "scanner": "repobility-threat-engine", "fingerprint": "5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 38632, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 38631, "scanner": "repobility-threat-engine", "fingerprint": "23c1b394607dca84b84e5c7e19ae366b3bb54fe9a806e06f176b897f93a32601", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|models/exportexcel.js|6|console.warn suspiciously long auth token received rejecting to prevent resource abuse"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/exportExcel.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 38630, "scanner": "repobility-threat-engine", "fingerprint": "05347c2f04a43229336f4bf04fc46746e65ee8322d3f8d392ccc65be8d1b86cf", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|models/export.js|6|console.warn suspiciously long auth token received rejecting to prevent resource abuse"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/export.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 38629, "scanner": "repobility-threat-engine", "fingerprint": "ff6a8920c6c5385a5b817aceada9a7f00a784eb85ff40237ca55475b477bcc5e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"See settings in this api.py script for api key and token.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|print see settings in this api.py script for api key and token."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/trello/api.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 38624, "scanner": "repobility-threat-engine", "fingerprint": "90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 38620, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 38613, "scanner": "repobility-threat-engine", "fingerprint": "f7e05db95400602aa07bd6858d34947e60f7620bb60a4e8e40ed860df7e3ec68", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f7e05db95400602aa07bd6858d34947e60f7620bb60a4e8e40ed860df7e3ec68", "aggregated_count": 38}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38612, "scanner": "repobility-threat-engine", "fingerprint": "8e37476e0fb924d0235373f8d23b11d519ee0f76075d8047adaf8b73fef1c005", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e37476e0fb924d0235373f8d23b11d519ee0f76075d8047adaf8b73fef1c005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/common/originalPosition.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38611, "scanner": "repobility-threat-engine", "fingerprint": "0b11bbf68f0a7012e19a252782c2878a45ab64db82be77bbbe3eb4377f3d5458", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b11bbf68f0a7012e19a252782c2878a45ab64db82be77bbbe3eb4377f3d5458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/boards/originalPositionsView.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 38610, "scanner": "repobility-threat-engine", "fingerprint": "08407127bed40e4a51dcaf6b45a0f47dc3c3d5447c61afb0bac7a780f9e20f21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08407127bed40e4a51dcaf6b45a0f47dc3c3d5447c61afb0bac7a780f9e20f21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/00-startup.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 38609, "scanner": "repobility-threat-engine", "fingerprint": "d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38799, "scanner": "repobility-supply-chain", "fingerprint": "117e6a9cba6851dd02105947aef7e4b4e677f2f00d7f03aaf92c73b7265a3c97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|117e6a9cba6851dd02105947aef7e4b4e677f2f00d7f03aaf92c73b7265a3c97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38798, "scanner": "repobility-supply-chain", "fingerprint": "861bd1f13c1bee69c4574a373de50c0d69ac97055f0313096c54d69d799eb3f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|861bd1f13c1bee69c4574a373de50c0d69ac97055f0313096c54d69d799eb3f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 471}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38797, "scanner": "repobility-supply-chain", "fingerprint": "dca2bcdf4cb3377fbcee926a2f1dc3740c942158fa71dd2e59d96f8409a531ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dca2bcdf4cb3377fbcee926a2f1dc3740c942158fa71dd2e59d96f8409a531ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 456}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38796, "scanner": "repobility-supply-chain", "fingerprint": "aa3895bdaef7857ee60afd1aeacdd48bb9f70cd0f51d30bf22b4993cc0295c83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa3895bdaef7857ee60afd1aeacdd48bb9f70cd0f51d30bf22b4993cc0295c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38795, "scanner": "repobility-supply-chain", "fingerprint": "dd6e186ed965ad44d98e4252355d07dda0d57e532b3bcd4ab9ae4c628b595a48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd6e186ed965ad44d98e4252355d07dda0d57e532b3bcd4ab9ae4c628b595a48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 409}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38794, "scanner": "repobility-supply-chain", "fingerprint": "814707e4ad8eb69ee24c81e561ac1243aff78cc2b6434d613c1bf73fed827d9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|814707e4ad8eb69ee24c81e561ac1243aff78cc2b6434d613c1bf73fed827d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38793, "scanner": "repobility-supply-chain", "fingerprint": "f0f5244892bd739c4df348cab9038c3fb73843423a127788dc325d80a785acc1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0f5244892bd739c4df348cab9038c3fb73843423a127788dc325d80a785acc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38792, "scanner": "repobility-supply-chain", "fingerprint": "adde0d60a2c85dc55ed0f7ec2ba7b05aeab6a0bdd5758ceedd3c9257ca544cb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adde0d60a2c85dc55ed0f7ec2ba7b05aeab6a0bdd5758ceedd3c9257ca544cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38791, "scanner": "repobility-supply-chain", "fingerprint": "e5fcb6b4f7c2936d6122ca64a5f5556c227c6321d00aa639c484c1a2ee85b5f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5fcb6b4f7c2936d6122ca64a5f5556c227c6321d00aa639c484c1a2ee85b5f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38790, "scanner": "repobility-supply-chain", "fingerprint": "4c42c9938801263b7bfc91664d9a0136d61a2be0b8a0c3c031e4cc8776093a4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c42c9938801263b7bfc91664d9a0136d61a2be0b8a0c3c031e4cc8776093a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38789, "scanner": "repobility-supply-chain", "fingerprint": "5a37db3a84fd871a48a3d6a1a83b51d60cd97326063a741cd7f5fb6172a46000", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a37db3a84fd871a48a3d6a1a83b51d60cd97326063a741cd7f5fb6172a46000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38788, "scanner": "repobility-supply-chain", "fingerprint": "7782a7f1907e6bb6b07cc1c35b534ad364e79cdf5490e2d07fefa2cec5e833f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7782a7f1907e6bb6b07cc1c35b534ad364e79cdf5490e2d07fefa2cec5e833f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38787, "scanner": "repobility-supply-chain", "fingerprint": "840003ac851b230c1c49b005be070d9a40393cb0bc53b1cc986786a0597ec778", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|840003ac851b230c1c49b005be070d9a40393cb0bc53b1cc986786a0597ec778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38786, "scanner": "repobility-supply-chain", "fingerprint": "e861df2c68b4acbfcc661d91e74b1aa454fbe0d75283b1f78f679f008d06fda0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e861df2c68b4acbfcc661d91e74b1aa454fbe0d75283b1f78f679f008d06fda0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38785, "scanner": "repobility-supply-chain", "fingerprint": "35124573fcba192b81cf1da5cda1fe651d7fea6d3eb59d3d70850da813d66399", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35124573fcba192b81cf1da5cda1fe651d7fea6d3eb59d3d70850da813d66399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38784, "scanner": "repobility-supply-chain", "fingerprint": "34dff5ea90f7476bb9c4a29fce9ef19dbfe4b43848c35286bfa0c402f556b003", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34dff5ea90f7476bb9c4a29fce9ef19dbfe4b43848c35286bfa0c402f556b003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38783, "scanner": "repobility-supply-chain", "fingerprint": "47c14ddaaa3d210125dd408de5d145c1571aaf79b283e3017b4917140fa047f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47c14ddaaa3d210125dd408de5d145c1571aaf79b283e3017b4917140fa047f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-all.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 38782, "scanner": "repobility-supply-chain", "fingerprint": "938f3a7e40189985d8885fc63a4f6bfe9e063b488448568ab9062901139489d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|938f3a7e40189985d8885fc63a4f6bfe9e063b488448568ab9062901139489d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 38781, "scanner": "repobility-supply-chain", "fingerprint": "6b8159391184a953ff7042063dcdbccc39cb5fbd467331f59ea743922705b394", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b8159391184a953ff7042063dcdbccc39cb5fbd467331f59ea743922705b394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38780, "scanner": "repobility-supply-chain", "fingerprint": "b33bca3df9fa0aa97d7b51ea41eededbf32b6cb2c61d9ac8968a44bb91415971", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b33bca3df9fa0aa97d7b51ea41eededbf32b6cb2c61d9ac8968a44bb91415971"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38779, "scanner": "repobility-supply-chain", "fingerprint": "b34707ed661e152a063893b162b2db5190085eb54f18b45a9e729926ef0356c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b34707ed661e152a063893b162b2db5190085eb54f18b45a9e729926ef0356c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38778, "scanner": "repobility-supply-chain", "fingerprint": "5eb36ebceed4275d65165f41a7e104f019ff9e856361188b65dfc9a0e3241eab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5eb36ebceed4275d65165f41a7e104f019ff9e856361188b65dfc9a0e3241eab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38777, "scanner": "repobility-supply-chain", "fingerprint": "212579ec05b5059e05ecbe96218e27c1a0b02173af8285358b0516e3bf2e54c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|212579ec05b5059e05ecbe96218e27c1a0b02173af8285358b0516e3bf2e54c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38776, "scanner": "repobility-supply-chain", "fingerprint": "b9f1e1b51143ecb35b78743e00479c9d69d1c4a77011667a18891ff3a8b37281", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9f1e1b51143ecb35b78743e00479c9d69d1c4a77011667a18891ff3a8b37281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38775, "scanner": "repobility-supply-chain", "fingerprint": "abeca03a05f86b03e1f8d29e0916ec2cdbdcae1e9365185001dbcbdf435e596f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abeca03a05f86b03e1f8d29e0916ec2cdbdcae1e9365185001dbcbdf435e596f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38774, "scanner": "repobility-supply-chain", "fingerprint": "ae7bb98ec876aedd2477ef6b2d7fad0f767e95a228efd5866e044048bd1d9b06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae7bb98ec876aedd2477ef6b2d7fad0f767e95a228efd5866e044048bd1d9b06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 38773, "scanner": "repobility-supply-chain", "fingerprint": "ef71ecfda345a351fef929983f1731ae987299eaf2bb270bc107a6df4ad17a83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef71ecfda345a351fef929983f1731ae987299eaf2bb270bc107a6df4ad17a83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 38772, "scanner": "repobility-supply-chain", "fingerprint": "37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gitpod/workspace-mongodb (no tag)` not pinned by digest: `FROM gitpod/workspace-mongodb (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 38771, "scanner": "repobility-supply-chain", "fingerprint": "eaa4277eb9d3ebb3441cfaab9af077514291156b592010b6a40eec716598db1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eaa4277eb9d3ebb3441cfaab9af077514291156b592010b6a40eec716598db1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitpod.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 38770, "scanner": "repobility-supply-chain", "fingerprint": "7d0469362b14ba0b221a7152d90cbfd3ebd4f9e8b6a39ccea2857467281e3e9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d0469362b14ba0b221a7152d90cbfd3ebd4f9e8b6a39ccea2857467281e3e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38768, "scanner": "repobility-ast-engine", "fingerprint": "82a353b21b377ac06d282e28f8e7cf2a528e2fe2c25664e096cfe4c08826f491", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82a353b21b377ac06d282e28f8e7cf2a528e2fe2c25664e096cfe4c08826f491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38767, "scanner": "repobility-ast-engine", "fingerprint": "aaf0c2c2d7600c52a09c0e089556c8eb9c876407886d60b08a207b9c01f68e94", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aaf0c2c2d7600c52a09c0e089556c8eb9c876407886d60b08a207b9c01f68e94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 460}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38766, "scanner": "repobility-ast-engine", "fingerprint": "3d42814d9e6b5b678acb801ed783754de6187c7af8ccb44e29c0582753d6797e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d42814d9e6b5b678acb801ed783754de6187c7af8ccb44e29c0582753d6797e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 460}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_openapi_param` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_param`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38765, "scanner": "repobility-ast-engine", "fingerprint": "9de964ef3094d0475b01d9f82d4611f008bc9538a8a409ef79b57d5d0bbd36d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9de964ef3094d0475b01d9f82d4611f008bc9538a8a409ef79b57d5d0bbd36d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38764, "scanner": "repobility-ast-engine", "fingerprint": "0718ca6e68098ae20c3c3410fee0428adb835c92ddb20f116b2f5aefcf138f30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0718ca6e68098ae20c3c3410fee0428adb835c92ddb20f116b2f5aefcf138f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 427}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.operationId` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.operationId`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38763, "scanner": "repobility-ast-engine", "fingerprint": "dbd09b2f164daba2270ee0b071da73b2e80b14d8de0fed7e20d690a3d46cde07", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dbd09b2f164daba2270ee0b071da73b2e80b14d8de0fed7e20d690a3d46cde07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38762, "scanner": "repobility-ast-engine", "fingerprint": "ae151b66f70bd29fee307f8b5ab5922fc01946114e99cada7fcb126372c7a5fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae151b66f70bd29fee307f8b5ab5922fc01946114e99cada7fcb126372c7a5fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38761, "scanner": "repobility-ast-engine", "fingerprint": "95dde1d1f2e4ffbc8b6136ee46d54ec56deaf083f00286e800f122864b0a93c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95dde1d1f2e4ffbc8b6136ee46d54ec56deaf083f00286e800f122864b0a93c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 429}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.description` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.description`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38760, "scanner": "repobility-ast-engine", "fingerprint": "e8186205b3dd4a30772ed60421ef2c1b26c9f60ef159813d6a1136e770bbe546", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8186205b3dd4a30772ed60421ef2c1b26c9f60ef159813d6a1136e770bbe546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38759, "scanner": "repobility-ast-engine", "fingerprint": "64fd6c1863af589f761f5463de39465e198163d2232542c0183803d2e3028c69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64fd6c1863af589f761f5463de39465e198163d2232542c0183803d2e3028c69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.error` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38758, "scanner": "repobility-ast-engine", "fingerprint": "fa222518081f7e82caa6c70e6790a454343f06cc7648fa1cb6cd24c13acbf6d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa222518081f7e82caa6c70e6790a454343f06cc7648fa1cb6cd24c13acbf6d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 396}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38757, "scanner": "repobility-ast-engine", "fingerprint": "7c2fab9124f25a9095e194b6d18f31aef922bd629f2cbed33fbac2d0f112157e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c2fab9124f25a9095e194b6d18f31aef922bd629f2cbed33fbac2d0f112157e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38756, "scanner": "repobility-ast-engine", "fingerprint": "9d63811a1a0d22f154634076ef2cd410406f1c3de7526fbd2854124a1355871c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d63811a1a0d22f154634076ef2cd410406f1c3de7526fbd2854124a1355871c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 392}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.doc_param` used but never assigned in __init__: Method `print_openapi_param` of class `EntryPoint` reads `self.doc_param`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38755, "scanner": "repobility-ast-engine", "fingerprint": "b54e5cc17a01dcab6b4d85be2b2c8bd2012b5509e6211ad80bfec61046d1fe03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b54e5cc17a01dcab6b4d85be2b2c8bd2012b5509e6211ad80bfec61046d1fe03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38754, "scanner": "repobility-ast-engine", "fingerprint": "a139d5bd921fb5d46b3d27e264c433c814ba3105718985953e2413c8cf86cbb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a139d5bd921fb5d46b3d27e264c433c814ba3105718985953e2413c8cf86cbb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.info` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38753, "scanner": "repobility-ast-engine", "fingerprint": "67ab3d7ce7d19db66b3c1ef4e8df50e434f5e85e3955fd1716dd621faa5a2320", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67ab3d7ce7d19db66b3c1ef4e8df50e434f5e85e3955fd1716dd621faa5a2320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38752, "scanner": "repobility-ast-engine", "fingerprint": "daff2fb09b4a6af3b2123917b28f0fd35e85ec469a9af0aae8f63b22919fca58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|daff2fb09b4a6af3b2123917b28f0fd35e85ec469a9af0aae8f63b22919fca58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38751, "scanner": "repobility-ast-engine", "fingerprint": "c43e251ffd99e8496b3115e7ee7ea59d69d8c38f3812ccdd20723c5f1103c6b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c43e251ffd99e8496b3115e7ee7ea59d69d8c38f3812ccdd20723c5f1103c6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log` used but never assigned in __init__: Method `info` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38750, "scanner": "repobility-ast-engine", "fingerprint": "525a213f9e0153be74add679e03cb6d4793748ecb34fa96ff2879daa31ce8768", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|525a213f9e0153be74add679e03cb6d4793748ecb34fa96ff2879daa31ce8768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log` used but never assigned in __init__: Method `warn` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38749, "scanner": "repobility-ast-engine", "fingerprint": "9a03e77ede92344e6488518c2069586fb7a3159c8f32af17d067160294d58db6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a03e77ede92344e6488518c2069586fb7a3159c8f32af17d067160294d58db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log` used but never assigned in __init__: Method `error` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38748, "scanner": "repobility-ast-engine", "fingerprint": "cdc66dc64aa6e85288cfe3eab221853bd06219eae955b9920f44dbc4da103b9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cdc66dc64aa6e85288cfe3eab221853bd06219eae955b9920f44dbc4da103b9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._path` used but never assigned in __init__: Method `compute_path` of class `EntryPoint` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38747, "scanner": "repobility-ast-engine", "fingerprint": "a9a9e70b5d6ed3231f901ddf67f163dbd66b4ad5fa536dcd149e9d478f8a0597", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9a9e70b5d6ed3231f901ddf67f163dbd66b4ad5fa536dcd149e9d478f8a0597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38746, "scanner": "repobility-ast-engine", "fingerprint": "80ae900fd3866d870113073c8ca080754c977c7d6323cf0e924eac0a6cf2e69f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80ae900fd3866d870113073c8ca080754c977c7d6323cf0e924eac0a6cf2e69f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38745, "scanner": "repobility-ast-engine", "fingerprint": "9620cd410c9cc801b8cc22b948174738185b9be01ec090fede7639ea5ed9a22c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9620cd410c9cc801b8cc22b948174738185b9be01ec090fede7639ea5ed9a22c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._decode` used but never assigned in __init__: Method `decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 38744, "scanner": "repobility-ast-engine", "fingerprint": "c8940d593fe6cb121ef40e4dc4d4edcb0763f3b6c3c07c3fbb99704a0a3954f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8940d593fe6cb121ef40e4dc4d4edcb0763f3b6c3c07c3fbb99704a0a3954f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38728, "scanner": "repobility-docker", "fingerprint": "8e906961cfddb09ef13b2d885800dc5352fbc34609b80f9444d28f31499dd90e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8e906961cfddb09ef13b2d885800dc5352fbc34609b80f9444d28f31499dd90e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 38724, "scanner": "repobility-docker", "fingerprint": "051796ed2ed5548b67725b872768247a8d5def1f43aae9ee1905a85e7daf3a08", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|051796ed2ed5548b67725b872768247a8d5def1f43aae9ee1905a85e7daf3a08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 709}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38723, "scanner": "repobility-docker", "fingerprint": "597f61bd9db472f97a265d59ac2f641b2e1196bb0c7fbd284bae295d33486399", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|597f61bd9db472f97a265d59ac2f641b2e1196bb0c7fbd284bae295d33486399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 709}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 38721, "scanner": "repobility-docker", "fingerprint": "af8934b455d4b0db8c332c8b3e0ed92a18d2f77e3758bcfff4e4f0b6e0e29c1a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|af8934b455d4b0db8c332c8b3e0ed92a18d2f77e3758bcfff4e4f0b6e0e29c1a", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 38720, "scanner": "repobility-docker", "fingerprint": "54e73d8f9b12ad5f60f754ae1f5239c7fb1352d439a04ee833a7651b9d1cf442", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|54e73d8f9b12ad5f60f754ae1f5239c7fb1352d439a04ee833a7651b9d1cf442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38719, "scanner": "repobility-docker", "fingerprint": "859292bbdeb9ba89ef0ee38fe87047abbbf719409ac104a16a1e6dff4dc90f99", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|859292bbdeb9ba89ef0ee38fe87047abbbf719409ac104a16a1e6dff4dc90f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38717, "scanner": "repobility-docker", "fingerprint": "548d254f1e58eedff4786b9803eabb1361c38fb8025edebe6f6eef250a2e8701", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "torodb-stampede", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|548d254f1e58eedff4786b9803eabb1361c38fb8025edebe6f6eef250a2e8701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38714, "scanner": "repobility-docker", "fingerprint": "b85196d6d9b357a416ce4d730dc3b7aaa0d45c7ad28466870cfa6b9f5884e869", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "wekan", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b85196d6d9b357a416ce4d730dc3b7aaa0d45c7ad28466870cfa6b9f5884e869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38710, "scanner": "repobility-docker", "fingerprint": "7c42aec1178bdc412e112f99a91636fed490e4fb9aa61404d557005cef5c2c7b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "wekandb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7c42aec1178bdc412e112f99a91636fed490e4fb9aa61404d557005cef5c2c7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38707, "scanner": "repobility-docker", "fingerprint": "83feb67f35d12070253f0eec050a27bf2ae3a2d3a7d9526900fdecef25814b78", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "wekan-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|83feb67f35d12070253f0eec050a27bf2ae3a2d3a7d9526900fdecef25814b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 38704, "scanner": "repobility-docker", "fingerprint": "d44991d0519ac963298aab4093f0ce1075a699307fa9e7a267af27520a32fa71", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "wekandb-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d44991d0519ac963298aab4093f0ce1075a699307fa9e7a267af27520a32fa71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 38656, "scanner": "repobility-threat-engine", "fingerprint": "9130e58648f1356c6f523eeb1f2f0664707419154a72bd9f32ef7907d0b4db92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9130e58648f1356c6f523eeb1f2f0664707419154a72bd9f32ef7907d0b4db92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/customHeadAssets.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 38655, "scanner": "repobility-threat-engine", "fingerprint": "658c921524236598bb60678db127cad686da12e0c19463915d33231345919809", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|658c921524236598bb60678db127cad686da12e0c19463915d33231345919809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/models/activities.js"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 38653, "scanner": "repobility-threat-engine", "fingerprint": "2f5d844e63423cfee3d26694abe084e62c0f9310b530566c29d1265bbd3f44ba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f5d844e63423cfee3d26694abe084e62c0f9310b530566c29d1265bbd3f44ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "releases/install-sandstorm.sh"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 38649, "scanner": "repobility-threat-engine", "fingerprint": "1d473e06f89dfd004ce90d7381cb80d2b25e4a0606d7cefee0c2ef00641b5565", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xml2js.parseString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d473e06f89dfd004ce90d7381cb80d2b25e4a0606d7cefee0c2ef00641b5565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wekan-accounts-cas/cas_server.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 38633, "scanner": "repobility-threat-engine", "fingerprint": "c545eae5b44db8cbe74e546ecfc3ddbcbd6b876cd245666e99c081d0b7ad59c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c545eae5b44db8cbe74e546ecfc3ddbcbd6b876cd245666e99c081d0b7ad59c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/ImportExport/trello/api.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 38623, "scanner": "repobility-threat-engine", "fingerprint": "9d3850fe3718ea55657c886cc68e8a4cb74e5cf5beeda4d7487e533dd25513eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(opts", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d3850fe3718ea55657c886cc68e8a4cb74e5cf5beeda4d7487e533dd25513eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/avatars.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 38622, "scanner": "repobility-threat-engine", "fingerprint": "d77e767285e833e977cba8ad3647e0886806f0b3cef031ac800c66a0518409ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(opts", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d77e767285e833e977cba8ad3647e0886806f0b3cef031ac800c66a0518409ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/attachments.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 38621, "scanner": "repobility-threat-engine", "fingerprint": "27ca17a3f4180cddb73ad7a8d9f6171811a28d3645078fc5e8f4121e6e6027d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27ca17a3f4180cddb73ad7a8d9f6171811a28d3645078fc5e8f4121e6e6027d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/settings/translationBody.js"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38619, "scanner": "repobility-threat-engine", "fingerprint": "e5b95d834899689ad6cc3a27ce08249ddf17fa1637fe665a5cca6c0c3192ee63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CustomFields.update(currentData._id, { $set: data });", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5b95d834899689ad6cc3a27ce08249ddf17fa1637fe665a5cca6c0c3192ee63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/sidebar/sidebarCustomFields.js"}, "region": {"startLine": 243}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38618, "scanner": "repobility-threat-engine", "fingerprint": "16e4fbfc73eb1af1cf8bd543e564c97e8fb1b363c01e28bf5433bb1749d5429b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LockoutSettings.update('known-failuresBeforeLockout', {\n      $set: { value: knownFailuresBefore", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16e4fbfc73eb1af1cf8bd543e564c97e8fb1b363c01e28bf5433bb1749d5429b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/settings/lockedUsersBody.js"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 38617, "scanner": "repobility-threat-engine", "fingerprint": "83ec96658a987add6eebb81f631f2e2f4f62828a2b71f205ddf68b4e2f4037c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "autosize.update(input);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83ec96658a987add6eebb81f631f2e2f4f62828a2b71f205ddf68b4e2f4037c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/activities/comments.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38608, "scanner": "repobility-threat-engine", "fingerprint": "6b146fc9d82749683d213814486fdc3cf2f605e423c2f497f102f0845b1d5f2f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b146fc9d82749683d213814486fdc3cf2f605e423c2f497f102f0845b1d5f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/attachments.js"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38607, "scanner": "repobility-threat-engine", "fingerprint": "a83215108d7ca8a095012ecf4e39f984006fd1640e15701dace230508e45b9fb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a83215108d7ca8a095012ecf4e39f984006fd1640e15701dace230508e45b9fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/gantt/gantt.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 38606, "scanner": "repobility-threat-engine", "fingerprint": "0a9d2fb9378411eae2cb04a4e818d7d385500f9dc23f6d436a244c4065baa929", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a9d2fb9378411eae2cb04a4e818d7d385500f9dc23f6d436a244c4065baa929"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/00-startup.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 150 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 38800, "scanner": "repobility-supply-chain", "fingerprint": "767731174249d1d8ea643aabd67fd0b1100df1f8c211b90a00a00a985c4df832", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 3, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["0c4bdab63c8005228190255f2d8b0ead7d185cfba18839d4dd5dc8d7872093bc", "767731174249d1d8ea643aabd67fd0b1100df1f8c211b90a00a00a985c4df832", "c3a41446ddfe9f394a603ac66199d129dd254f5f23c154bd4b9197251f56acdf", "dba6d5ce7dcd232f783db6b762befac9a8c2f58a0939d7a7d91e93bf88633e02"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "releases/translations/old-pull-translations.sh"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 38743, "scanner": "repobility-ast-engine", "fingerprint": "9754098ef6d4907ca90a47e596a6187de8904f298051c3904802d093c0160d79", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9754098ef6d4907ca90a47e596a6187de8904f298051c3904802d093c0160d79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openapi/generate_openapi.py"}, "region": {"startLine": 490}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 38718, "scanner": "repobility-docker", "fingerprint": "5eea4a3c611a093d03c800c815a98b50cf44c2c2e0e8ec3746f3e487e1c853cd", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|5eea4a3c611a093d03c800c815a98b50cf44c2c2e0e8ec3746f3e487e1c853cd", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 38716, "scanner": "repobility-docker", "fingerprint": "f0c46efb189c1da2a59f9fd2786c006163e201539821d9ad7caee366d86c6d60", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "torodb-stampede", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|f0c46efb189c1da2a59f9fd2786c006163e201539821d9ad7caee366d86c6d60", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Databases/ToroDB-PostgreSQL/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 38703, "scanner": "repobility-docker", "fingerprint": "17e2e467635e0bbda2ba6b6fe773e867292829cd2e3e79a7ddad87b059ea035c", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "PASSWORD_LOGIN_ENABLED", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|17e2e467635e0bbda2ba6b6fe773e867292829cd2e3e79a7ddad87b059ea035c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 38701, "scanner": "repobility-docker", "fingerprint": "2c7f092a5c1d5ab6989b222d330cf7b0c3f84a88677f8ceaba120febeb294456", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "PASSWORD_LOGIN_ENABLED", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|2c7f092a5c1d5ab6989b222d330cf7b0c3f84a88677f8ceaba120febeb294456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 38657, "scanner": "repobility-threat-engine", "fingerprint": "2203366d0f8271ffad55e8925720c6220774b68151b7b9e6259ec1cb8e7d49be", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mongodb://{{DATABASE_USER}}:{{DATABASE_PASSWORD}}@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|mongodb:// database_user : database_password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stacksmith/user-scripts/boot.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 38641, "scanner": "repobility-threat-engine", "fingerprint": "20cf3a2d0b6ffd639fab4503d627705eaf2c2d299fd4c9c0f409b936f5b140a3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20cf3a2d0b6ffd639fab4503d627705eaf2c2d299fd4c9c0f409b936f5b140a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stacksmith/user-scripts/boot.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 38640, "scanner": "repobility-threat-engine", "fingerprint": "f78dae63cc266ba2d1546b8f62f21044d5c53a0b3f0c4aa97f67008b3ed7c1fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f78dae63cc266ba2d1546b8f62f21044d5c53a0b3f0c4aa97f67008b3ed7c1fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/Platforms/FOSS/Docker/Meteor3/1createdb.sh"}, "region": {"startLine": 63}}}]}]}]}