{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /tenant_url."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 21.9% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 21.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC094", "name": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Port", "shortDescription": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "fullDescription": {"text": "Use 0600 for files, 0700 for dirs that should be private."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC089", "name": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended ", "shortDescription": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "fullDescription": {"text": "Bind to `127.0.0.1:PORT` and front with a reverse proxy."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `seafile` image is selected through a build variable", "shortDescription": {"text": "Compose service `seafile` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 75 more): Same pattern found in 75 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 41 more): Same pattern found in 41 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 43 more): Same pattern found in 43 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-go@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. Th", "shortDescription": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images sh"}, "fullDescription": {"text": "Replace with: `FROM alpine:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_rpc_error` of class `TestRclone` reads `s", "shortDescription": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_rpc_error` of class `TestRclone` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError th"}, "fullDescription": {"text": "Initialize `self.assertTrue = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_server: Test function `test_server` runs code but contains no assert / expect / s", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_server: Test function `test_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.RCLONE_CONFIG_PASS` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.RCLONE_CONFIG_PASS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RCLONE_CONFIG_PASS }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`", "shortDescription": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import email` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/901"}, "properties": {"repository": "rclone/rclone", "repoUrl": "https://github.com/rclone/rclone", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 84187, "scanner": "repobility-ast-engine", "fingerprint": "b85b906ef96bd26cecf78ba497fe414f71c186b8f0c272ba7f2140a64f851e55", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b85b906ef96bd26cecf78ba497fe414f71c186b8f0c272ba7f2140a64f851e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/check_autogenerated_edits.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 84185, "scanner": "repobility-ast-engine", "fingerprint": "3c262c5c8d66ab45955c318fbadab7d73733f7134921eed74c452735b12a7a5b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c262c5c8d66ab45955c318fbadab7d73733f7134921eed74c452735b12a7a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/make_backend_docs.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 84184, "scanner": "repobility-ast-engine", "fingerprint": "31161f4e46e4b5874f4f880a7af013e2428a2be86b4d67e5bbcd5c621ab53c7a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31161f4e46e4b5874f4f880a7af013e2428a2be86b4d67e5bbcd5c621ab53c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/make_backend_docs.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-JottaCloud-OTP."}, "properties": {"repobilityId": 84182, "scanner": "repobility-access-control", "fingerprint": "a8b6345a570a489c8aa2dfc0046a90b9a765b1428938117762407745fc3a47ca", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/X-JottaCloud-OTP", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|655|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/jottacloud/jottacloud.go"}, "region": {"startLine": 655}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /access_token."}, "properties": {"repobilityId": 84181, "scanner": "repobility-access-control", "fingerprint": "6e110c85773095c33e05af94a6daed6c75aa48ff3b902ba679dd9089484fbfaa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/access_token", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|backend/mailru/mailru.go|497|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/mailru/mailru.go"}, "region": {"startLine": 497}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /token."}, "properties": {"repobilityId": 84180, "scanner": "repobility-access-control", "fingerprint": "19cf0fb6d1d9d2832ac25d7c427e411532bd9dc16754fdd27be838de8614b28b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/token", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|backend/mailru/mailru.go|494|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/mailru/mailru.go"}, "region": {"startLine": 494}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /hostname."}, "properties": {"repobilityId": 84179, "scanner": "repobility-access-control", "fingerprint": "fada1b93bd0724bfbcaaad2354758ec3250d1b0db7221fbeaec4d9be627f03d1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/hostname", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|backend/pcloud/pcloud.go|84|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pcloud/pcloud.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /user_agent."}, "properties": {"repobilityId": 84178, "scanner": "repobility-access-control", "fingerprint": "02538a69e4cf5fbbf318f3ac705c52b4c688c84841dde898d7af6e8bf74f2b12", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/user_agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|backend/yandex/yandex.go|265|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/yandex/yandex.go"}, "region": {"startLine": 265}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config_template."}, "properties": {"repobilityId": 84177, "scanner": "repobility-access-control", "fingerprint": "edb4a3975d7977d11bcea57a900c240d38ccb2879d5b4bff0753cadfb5e77915", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/config_template", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|lib/oauthutil/oauthutil.go|725|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/oauthutil/oauthutil.go"}, "region": {"startLine": 725}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config_template_file."}, "properties": {"repobilityId": 84176, "scanner": "repobility-access-control", "fingerprint": "9921f01869cd87c031d7f919f3f2239fa73bd067d4d4f2ee375cb138f8376fe1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/config_template_file", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|lib/oauthutil/oauthutil.go|724|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/oauthutil/oauthutil.go"}, "region": {"startLine": 724}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /token."}, "properties": {"repobilityId": 84175, "scanner": "repobility-access-control", "fingerprint": "113813819b9eaae7478b2ca25a889847175a3e03b7c09442e67f14cf2a0b0f29", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/token", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|lib/oauthutil/oauthutil.go|633|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/oauthutil/oauthutil.go"}, "region": {"startLine": 633}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /getContentFeatures.dlna.org."}, "properties": {"repobilityId": 84174, "scanner": "repobility-access-control", "fingerprint": "1d2e8dd8a535b9c0fb92965bd2f53137000a7e2ac49fbef8c9065a148edcd42c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/getContentFeatures.dlna.org", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|cmd/serve/dlna/dlna.go|352|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/serve/dlna/dlna.go"}, "region": {"startLine": 352}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /order."}, "properties": {"repobilityId": 84173, "scanner": "repobility-access-control", "fingerprint": "8c4e3e6d15967303354902502272fdfe0ded176c73b9baf5d6eed3e36c8406b7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/order", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|cmd/serve/http/http.go|324|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/serve/http/http.go"}, "region": {"startLine": 324}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /tenant_url."}, "properties": {"repobilityId": 84172, "scanner": "repobility-access-control", "fingerprint": "0bdb9069656f55b8d494c618373f4c4f5a883b7b7aab5716375b95b012f5c53a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tenant_url", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|493|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/onedrive/onedrive.go"}, "region": {"startLine": 493}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /region."}, "properties": {"repobilityId": 84171, "scanner": "repobility-access-control", "fingerprint": "749c848ce4f774c247ff00cb8b3add4f8015affd50643792697a7b52fe28d2fe", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/region", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|488|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/onedrive/onedrive.go"}, "region": {"startLine": 488}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 21.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 84170, "scanner": "repobility-access-control", "fingerprint": "4e31f288c488b401e9349599934ff217449c2d842ba87316e1aa916cca52401c", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 155, "correlation_key": "fp|4e31f288c488b401e9349599934ff217449c2d842ba87316e1aa916cca52401c", "auth_visible_percent": 21.9}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 84169, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 84163, "scanner": "repobility-docker", "fingerprint": "3d88bcbeaf3fd7903c00a223a94e6b7a88d3faf0862b3b49f20544dcd79fc754", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3d88bcbeaf3fd7903c00a223a94e6b7a88d3faf0862b3b49f20544dcd79fc754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84162, "scanner": "repobility-docker", "fingerprint": "e6b753b4e5094e1852ea526ae126145cd4f4e02b3f2bc307b6dea0c4e642bec0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e6b753b4e5094e1852ea526ae126145cd4f4e02b3f2bc307b6dea0c4e642bec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-sftp-openssh/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 84161, "scanner": "repobility-docker", "fingerprint": "25fe495e983b3ab4563bb6fb092b3078517c192dd06c1c1040bc760a15993335", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|25fe495e983b3ab4563bb6fb092b3078517c192dd06c1c1040bc760a15993335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-sftp-openssh/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84160, "scanner": "repobility-docker", "fingerprint": "2e9f18179ce67568baa6488b52659bf1330879e2e86227b2bf52e75888c87daa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:stretch", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2e9f18179ce67568baa6488b52659bf1330879e2e86227b2bf52e75888c87daa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-hdfs/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84159, "scanner": "repobility-docker", "fingerprint": "8473c9708f48e9c99fab174acc927cd60f13ad84fd30425cbe9b118b97445fe5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8473c9708f48e9c99fab174acc927cd60f13ad84fd30425cbe9b118b97445fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/docker-plugin/managed/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 84158, "scanner": "repobility-docker", "fingerprint": "00f2e0db76205f1cd381b4b20f8f266c81fee2f7d0a7f3c82a7858b049b32a69", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00f2e0db76205f1cd381b4b20f8f266c81fee2f7d0a7f3c82a7858b049b32a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/docker-plugin/managed/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 84156, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84155, "scanner": "repobility-docker", "fingerprint": "fe554e898139a8b73f0fdf9fc48b16f7ad1b7e4a2c71f72561d377187dba6edd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fe554e898139a8b73f0fdf9fc48b16f7ad1b7e4a2c71f72561d377187dba6edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 84154, "scanner": "repobility-docker", "fingerprint": "4cfb6ad5bb7e4f433362344ee2d021275a5aa6255982bc68f2551cc965c273cc", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4cfb6ad5bb7e4f433362344ee2d021275a5aa6255982bc68f2551cc965c273cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC094", "level": "warning", "message": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "properties": {"repobilityId": 84121, "scanner": "repobility-threat-engine", "fingerprint": "4a7821a8422b490301c24bbac4aee76ad5f01d8ff236fe1eb56edbf6e753ef32", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC094", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a7821a8422b490301c24bbac4aee76ad5f01d8ff236fe1eb56edbf6e753ef32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vfs/vfstest/file.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 84118, "scanner": "repobility-threat-engine", "fingerprint": "d4391510e62701f3d6bf45ba7a1385c6521c2d61efe94f1db7cdc3a9a95fdbe7", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-hdfs/run.sh"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 84117, "scanner": "repobility-threat-engine", "fingerprint": "8ab42205c273fe8c47671c7a3a193a3077c8e99869ed65c27e2e55f16cb735e2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ab42205c273fe8c47671c7a3a193a3077c8e99869ed65c27e2e55f16cb735e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fs/rc/js/serve.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 84116, "scanner": "repobility-threat-engine", "fingerprint": "0bc62679dd602fc6728dab1c48f5515b743752976a8f179ea368f4b51b211ed1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ListenAndServe(\":3000\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0bc62679dd602fc6728dab1c48f5515b743752976a8f179ea368f4b51b211ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fs/rc/js/serve.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 84113, "scanner": "repobility-threat-engine", "fingerprint": "890f7202f7aeca273c7a04585df69a529de1a6b82492bb83b38234755d4e0299", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(outFile, footer)\n\t}\n\treturn nil\n}\n\n// FileInfo maps an fs.DirEntry into an os.FileInfo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|890f7202f7aeca273c7a04585df69a529de1a6b82492bb83b38234755d4e0299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/tree/tree.go"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 84112, "scanner": "repobility-threat-engine", "fingerprint": "a4814ffa31b6867e7c05d33edfdba8a5e7cb4ae37c8166c17ff87ef5a3d1cee8", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(out, list.Format(item))\n\t\treturn nil\n\t})", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4814ffa31b6867e7c05d33edfdba8a5e7cb4ae37c8166c17ff87ef5a3d1cee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/lsf/lsf.go"}, "region": {"startLine": 258}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 84168, "scanner": "repobility-docker", "fingerprint": "2766c815fa11fe8d5c9d93faff39a2cc9d6760ababa8b581733e0ca5eb585297", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "seafile", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2766c815fa11fe8d5c9d93faff39a2cc9d6760ababa8b581733e0ca5eb585297", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 84167, "scanner": "repobility-docker", "fingerprint": "04b3deb73d3fea986aac353adb368f9d2ab8caf343a62ca0c764e870aab5ac80", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "seafile", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|04b3deb73d3fea986aac353adb368f9d2ab8caf343a62ca0c764e870aab5ac80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 84166, "scanner": "repobility-docker", "fingerprint": "ec2e4c430ca31f67850da4ed984b4645e3782b8163959f595536215500da1901", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "seafile", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ec2e4c430ca31f67850da4ed984b4645e3782b8163959f595536215500da1901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 84164, "scanner": "repobility-docker", "fingerprint": "e3054829267df4d37c26829ab0d5d07807efa376fc6aaa4ff7541df2ea7428ba", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "db", "variables": ["MYSQL_ROOT_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|e3054829267df4d37c26829ab0d5d07807efa376fc6aaa4ff7541df2ea7428ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5be639ffd8bda42e1c389302b779baa53a1183377a2a5f42a76cf0f3f9e92ea8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/copy/copy.go", "duplicate_line": 83, "correlation_key": "fp|5be639ffd8bda42e1c389302b779baa53a1183377a2a5f42a76cf0f3f9e92ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/move/move.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "446ca149a8c978ca306b24e543fd1154186058380f59cba6051ebfe9a9f33012", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/cmount/fs.go", "duplicate_line": 489, "correlation_key": "fp|446ca149a8c978ca306b24e543fd1154186058380f59cba6051ebfe9a9f33012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/mount2/fs.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83abb4a5b5885a6740546802572d420836cf3bc4b6ec9e036dfbffc3274902b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/ls/ls.go", "duplicate_line": 2, "correlation_key": "fp|83abb4a5b5885a6740546802572d420836cf3bc4b6ec9e036dfbffc3274902b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/lsl/lsl.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14eada002c58d5528925d7b81561aebb16760ee3bbb85bbed256ff02a074853f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|14eada002c58d5528925d7b81561aebb16760ee3bbb85bbed256ff02a074853f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/yandex/yandex.go"}, "region": {"startLine": 679}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb84a68e9f27ade20555c75ec59a0e3b0ae5b3b4df9f4120a7e69ce5d146871d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/premiumizeme/premiumizeme.go", "duplicate_line": 128, "correlation_key": "fp|eb84a68e9f27ade20555c75ec59a0e3b0ae5b3b4df9f4120a7e69ce5d146871d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/yandex/yandex.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "754ffb699f03734d52dd8d189300c0bd4b7764c9a90f3c6acbc27a9b717582fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/combine/combine.go", "duplicate_line": 843, "correlation_key": "fp|754ffb699f03734d52dd8d189300c0bd4b7764c9a90f3c6acbc27a9b717582fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/union/upstream/upstream.go"}, "region": {"startLine": 207}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58b812a6feb59ba721141768cf1e4cc186cfd053b636c552fb3eaf07a7f54962", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/combine/combine.go", "duplicate_line": 492, "correlation_key": "fp|58b812a6feb59ba721141768cf1e4cc186cfd053b636c552fb3eaf07a7f54962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/union/union.go"}, "region": {"startLine": 392}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e97bd7355fa9ce44f7edf42a31990325694a3188a655f312c8bc47ae1673b558", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/seafile/object.go", "duplicate_line": 28, "correlation_key": "fp|e97bd7355fa9ce44f7edf42a31990325694a3188a655f312c8bc47ae1673b558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/sia/sia.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "476d8351dd4ad902534d3018888d0ade9b8bcc5eadcda3d1a5a69598b456bacd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/premiumizeme/premiumizeme.go", "duplicate_line": 605, "correlation_key": "fp|476d8351dd4ad902534d3018888d0ade9b8bcc5eadcda3d1a5a69598b456bacd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/shade/shade.go"}, "region": {"startLine": 584}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c834a1d6d56e60c96ef68d780ddef4b5d49f114fbca4e32b3174eead2524cbf6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|c834a1d6d56e60c96ef68d780ddef4b5d49f114fbca4e32b3174eead2524cbf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/shade/shade.go"}, "region": {"startLine": 581}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ef108a551cb73a163aad0ce501813ccb52dda62c985369df7472d3f2831cb28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|5ef108a551cb73a163aad0ce501813ccb52dda62c985369df7472d3f2831cb28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/putio/object.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e9bc298dd3946dd51aae3e70ad4787a7ccb17e3fcdf38f4ccdc0beefe07dfa7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|5e9bc298dd3946dd51aae3e70ad4787a7ccb17e3fcdf38f4ccdc0beefe07dfa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/premiumizeme/premiumizeme.go"}, "region": {"startLine": 602}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a2421de3a6e1bdd8ca170b9e1bfc62e31c2faf761be64c8727148b0e1160580", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/fichier/fichier.go", "duplicate_line": 176, "correlation_key": "fp|9a2421de3a6e1bdd8ca170b9e1bfc62e31c2faf761be64c8727148b0e1160580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/premiumizeme/premiumizeme.go"}, "region": {"startLine": 236}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84139, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e579c20a90220f09e3c285198f8e1ac5ec890feff489e10706a3c9d02ec714d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/box/api/types.go", "duplicate_line": 9, "correlation_key": "fp|0e579c20a90220f09e3c285198f8e1ac5ec890feff489e10706a3c9d02ec714d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pcloud/api/types.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84138, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55831636365f2194b38e9f4aac968582e3209c5af718790c1e790de1cf34af10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/memory/memory.go", "duplicate_line": 294, "correlation_key": "fp|55831636365f2194b38e9f4aac968582e3209c5af718790c1e790de1cf34af10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/oracleobjectstorage/oracleobjectstorage.go"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84137, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1aa24847a1e61a120caef5028f8fd9b72c17669f6daf5998f402d8723144b869", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|1aa24847a1e61a120caef5028f8fd9b72c17669f6daf5998f402d8723144b869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/opendrive/opendrive.go"}, "region": {"startLine": 654}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "379e4dc2dfe4438cc7c202b96a03dfdf92e5f1e3d701bbb6808024e51e3adf4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/iclouddrive/iclouddrive.go", "duplicate_line": 516, "correlation_key": "fp|379e4dc2dfe4438cc7c202b96a03dfdf92e5f1e3d701bbb6808024e51e3adf4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/opendrive/opendrive.go"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d6f8efaf647f9387d40313e7c440a401c65337a122e981497e0c4045d457257", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/local/metadata_linux.go", "duplicate_line": 15, "correlation_key": "fp|9d6f8efaf647f9387d40313e7c440a401c65337a122e981497e0c4045d457257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/local/metadata_unix.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a795a4ad5cc15aee4f295e28052d1f815d2cb8a272656a82f36a8c0baf19855", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/local/metadata_bsd.go", "duplicate_line": 1, "correlation_key": "fp|7a795a4ad5cc15aee4f295e28052d1f815d2cb8a272656a82f36a8c0baf19855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/local/metadata_unix.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36f5d68716edc2c9928aa69a47205182bad4e9ceb1e829c6c504954f63d28715", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/fichier/fichier.go", "duplicate_line": 169, "correlation_key": "fp|36f5d68716edc2c9928aa69a47205182bad4e9ceb1e829c6c504954f63d28715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/linkbox/linkbox.go"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f07288aa347f4a960355669a31363c54a1e5b743b89c0e7e5d826bc59ca28d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/iclouddrive/iclouddrive.go", "duplicate_line": 511, "correlation_key": "fp|5f07288aa347f4a960355669a31363c54a1e5b743b89c0e7e5d826bc59ca28d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internxt/internxt.go"}, "region": {"startLine": 331}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a1065f526bc8b11669df6b0f82fe2b2036eaff01a75dad13268d52b9efe0587", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/fichier/fichier.go", "duplicate_line": 165, "correlation_key": "fp|2a1065f526bc8b11669df6b0f82fe2b2036eaff01a75dad13268d52b9efe0587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/iclouddrive/iclouddrive.go"}, "region": {"startLine": 505}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e24e641708f807bc8d30e174983d347f643f0ba4f85712e422fbe51f6759c501", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 344, "correlation_key": "fp|e24e641708f807bc8d30e174983d347f643f0ba4f85712e422fbe51f6759c501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/http/http.go"}, "region": {"startLine": 503}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d610f9ba7e9e2d0a1ed899f6157a6b12bce63fbc499e0be1ce7358450e77e523", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|d610f9ba7e9e2d0a1ed899f6157a6b12bce63fbc499e0be1ce7358450e77e523"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/hidrive/hidrive.go"}, "region": {"startLine": 514}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a59e2d9cd448e837e28d9b2f079af73a7f2409062b99fe8f78099c0f2863870", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/filelu/filelu_object.go", "duplicate_line": 192, "correlation_key": "fp|3a59e2d9cd448e837e28d9b2f079af73a7f2409062b99fe8f78099c0f2863870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/hdfs/object.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "20d7296e6af9f36718eb0676d86a82dd05673fcc671037ac1ea0f5b4853c10c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/combine/combine.go", "duplicate_line": 857, "correlation_key": "fp|20d7296e6af9f36718eb0676d86a82dd05673fcc671037ac1ea0f5b4853c10c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/hasher/hasher.go"}, "region": {"startLine": 426}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "728ae94ee4cd4aff23302c785e75d275a60c9d46a8b4583929efcb6cab07b731", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/box/api/types.go", "duplicate_line": 4, "correlation_key": "fp|728ae94ee4cd4aff23302c785e75d275a60c9d46a8b4583929efcb6cab07b731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/gofile/api/types.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db78cc2f536c645247843ad97625db03811c0dc92fbe159dfb9494653f830107", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/doi/doi.go", "duplicate_line": 351, "correlation_key": "fp|db78cc2f536c645247843ad97625db03811c0dc92fbe159dfb9494653f830107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/filescom/filescom.go"}, "region": {"startLine": 505}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba801820b74f9a59481686514fe90427abdee0491b2eaeb291e2e745f30efab6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/azurefiles/azurefiles.go", "duplicate_line": 430, "correlation_key": "fp|ba801820b74f9a59481686514fe90427abdee0491b2eaeb291e2e745f30efab6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/filelu/filelu_object.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bb3f2bb0b7f7a67caf033f13ea2816ed014445c49b7dd71cccdb9601375837a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/compress/gzip_handler.go", "duplicate_line": 21, "correlation_key": "fp|7bb3f2bb0b7f7a67caf033f13ea2816ed014445c49b7dd71cccdb9601375837a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/zstd_handler.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 84084, "scanner": "repobility-threat-engine", "fingerprint": "f37532d9bae3d5c931637840b236c09e69204638a262013e2df2bc789e21ea02", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = o.Remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f37532d9bae3d5c931637840b236c09e69204638a262013e2df2bc789e21ea02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/zstd_handler.go"}, "region": {"startLine": 154}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 84083, "scanner": "repobility-threat-engine", "fingerprint": "8c5c275bfa51d2156fb000edf3e9987a20a045dedf5bcadde64e9bbfb7aa0548", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = o.refresh(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c5c275bfa51d2156fb000edf3e9987a20a045dedf5bcadde64e9bbfb7aa0548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/object.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 84082, "scanner": "repobility-threat-engine", "fingerprint": "11191b4d1cc8b5fe68defd33a3188c033b9ceb58e0049f22f2b263be66f91934", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = hash.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11191b4d1cc8b5fe68defd33a3188c033b9ceb58e0049f22f2b263be66f91934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/box/upload.go"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 84080, "scanner": "repobility-threat-engine", "fingerprint": "91801cdb739c67f0c222df5de348ce4ff14ab7451632521dbdce38e71d728bee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"provider/\"+name+\".yaml\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91801cdb739c67f0c222df5de348ce4ff14ab7451632521dbdce38e71d728bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/s3/providers.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 84079, "scanner": "repobility-threat-engine", "fingerprint": "17207a682d4b50558b1cd13490fb327a07c6533a5e5ba7320d373d021d5f721d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/v2/files/\"+directoryID+\"/child?name=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17207a682d4b50558b1cd13490fb327a07c6533a5e5ba7320d373d021d5f721d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/putio/object.go"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 84078, "scanner": "repobility-threat-engine", "fingerprint": "60c9b53e73a35e79b9db51c734609132cf10e583c2420236a69c3f9a2cd16a80", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/files/upload_sessions/\" + SessionID + \"/commit\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60c9b53e73a35e79b9db51c734609132cf10e583c2420236a69c3f9a2cd16a80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/box/upload.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 84069, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `seafile` image is selected through a build variable"}, "properties": {"repobilityId": 84165, "scanner": "repobility-docker", "fingerprint": "19269cc7dac0f13d5f4a23e15e0cc7f93032e4f11e293dfe08505be254928fcb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "seafileltd/seafile-mc:${SEAFILE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|19269cc7dac0f13d5f4a23e15e0cc7f93032e4f11e293dfe08505be254928fcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/init.d/seafile/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 84157, "scanner": "repobility-docker", "fingerprint": "ccc5ca1e38d8a47100328dddfe90a9de0b83865e1280d7e482bfbfd7865ba46d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ccc5ca1e38d8a47100328dddfe90a9de0b83865e1280d7e482bfbfd7865ba46d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/docker-plugin/managed/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 84122, "scanner": "repobility-threat-engine", "fingerprint": "f05abb34e584463c5ae4656e1e6887e1673da9a0efed5971e7fe88881a05bcc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f05abb34e584463c5ae4656e1e6887e1673da9a0efed5971e7fe88881a05bcc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vfs/vfstest/file.go"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 84120, "scanner": "repobility-threat-engine", "fingerprint": "cac1aa2cfa7ad0b766ff5c4c125cc5ac6b50b406cdad8285214416af27a89bf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cac1aa2cfa7ad0b766ff5c4c125cc5ac6b50b406cdad8285214416af27a89bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/rclone.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 84119, "scanner": "repobility-threat-engine", "fingerprint": "ea6e197ee6bf017a834adb2fcc49cfab2090e11d7be1a078013217681f7e38e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea6e197ee6bf017a834adb2fcc49cfab2090e11d7be1a078013217681f7e38e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/php/test.php"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 84115, "scanner": "repobility-threat-engine", "fingerprint": "5df5691008ef6c280d063f3999f9e03043ed47b55416ff29c6fba8c75945a10d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5df5691008ef6c280d063f3999f9e03043ed47b55416ff29c6fba8c75945a10d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fs/rc/js/loader.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "properties": {"repobilityId": 84106, "scanner": "repobility-threat-engine", "fingerprint": "bb7a996c95b251b6b1edf7abab2a8305f10242ca21e49e767ce01c56c1a44fb8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 75 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bb7a996c95b251b6b1edf7abab2a8305f10242ca21e49e767ce01c56c1a44fb8", "aggregated_count": 75}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 84105, "scanner": "repobility-threat-engine", "fingerprint": "4bc9373f29846d05e122e291ae16480064d5c957146fdb8912dee87ab0b4aea3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4bc9373f29846d05e122e291ae16480064d5c957146fdb8912dee87ab0b4aea3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/oracleobjectstorage/copy.go"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 84104, "scanner": "repobility-threat-engine", "fingerprint": "1a6a402a63f1bf248b3f8290a42809730e0396eeed0402b543b4dbca3ce9856e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a6a402a63f1bf248b3f8290a42809730e0396eeed0402b543b4dbca3ce9856e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/iclouddrive/api/client.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 84103, "scanner": "repobility-threat-engine", "fingerprint": "e0e872635392e9f22df4a24a8586420bd5f6040fb48b97cbb8a5a98c6ac529e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0e872635392e9f22df4a24a8586420bd5f6040fb48b97cbb8a5a98c6ac529e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/szstd_helper.go"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 84102, "scanner": "repobility-threat-engine", "fingerprint": "53aca00719aafbbb533eb637957248d56d6d803988a43b6b4b86bea48ad9d1e2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53aca00719aafbbb533eb637957248d56d6d803988a43b6b4b86bea48ad9d1e2", "aggregated_count": 19}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 84101, "scanner": "repobility-threat-engine", "fingerprint": "d840519a9e043c799921fd772488a1ab6bbe99aef0adb871b44477129ecb6fc5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d840519a9e043c799921fd772488a1ab6bbe99aef0adb871b44477129ecb6fc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/crypt/pkcs7/pkcs7.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 84100, "scanner": "repobility-threat-engine", "fingerprint": "2ee7cada76fdf9ddff88db3ce040527df0463da397298f274282430f3f6ef057", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ee7cada76fdf9ddff88db3ce040527df0463da397298f274282430f3f6ef057"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/zstd_handler.go"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 84099, "scanner": "repobility-threat-engine", "fingerprint": "0ccb58b69c70f1a5920b29a154f53eb02057b64108ea916ff783c0dcdc710930", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ccb58b69c70f1a5920b29a154f53eb02057b64108ea916ff783c0dcdc710930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/gzip_handler.go"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 84098, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84097, "scanner": "repobility-threat-engine", "fingerprint": "d1c6a861259b4c570618d6860ffc19346cb585916eb9944766ce4172b96217aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1c6a861259b4c570618d6860ffc19346cb585916eb9944766ce4172b96217aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/rc/rc.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84096, "scanner": "repobility-threat-engine", "fingerprint": "8de7c76c35f985eb15d6195509965933f3c4315cb61e9ed936df90d57b5363db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8de7c76c35f985eb15d6195509965933f3c4315cb61e9ed936df90d57b5363db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/webdav/odrvcookie/fetch.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84095, "scanner": "repobility-threat-engine", "fingerprint": "ca2ff18d75c3ca59dfd05dfb717143ae4369ecb2c256428eda028029216acdfb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca2ff18d75c3ca59dfd05dfb717143ae4369ecb2c256428eda028029216acdfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/plex.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 84089, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 54 more): Same pattern found in 54 additional files. Review if needed."}, "properties": {"repobilityId": 84085, "scanner": "repobility-threat-engine", "fingerprint": "d84d1745d786932c06a9241c837446ae705bc2cab54985ad40feef3ecf32a2ea", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 54 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 54 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d84d1745d786932c06a9241c837446ae705bc2cab54985ad40feef3ecf32a2ea"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 84081, "scanner": "repobility-threat-engine", "fingerprint": "9965b86108d0373c5a70f7ad25e6d5eebf2023c574b47d54f09feff3ed3b21a7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9965b86108d0373c5a70f7ad25e6d5eebf2023c574b47d54f09feff3ed3b21a7"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 84077, "scanner": "repobility-threat-engine", "fingerprint": "22da6b6a4e886fae0d1c8edb12c9d5858f543cccb9aa68fbed664d4c36fc3689", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|22da6b6a4e886fae0d1c8edb12c9d5858f543cccb9aa68fbed664d4c36fc3689", "aggregated_count": 41}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "properties": {"repobilityId": 84073, "scanner": "repobility-threat-engine", "fingerprint": "0c7642f5af12dbb3d2b0ef2dd57c50c0d4a8a95d094823ee39ec2921df1228b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 43 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c7642f5af12dbb3d2b0ef2dd57c50c0d4a8a95d094823ee39ec2921df1228b0", "aggregated_count": 43}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84222, "scanner": "repobility-supply-chain", "fingerprint": "26c245c1c7e01db75840c6daca75539faa52115c7dca44b295c79f54bc544b20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26c245c1c7e01db75840c6daca75539faa52115c7dca44b295c79f54bc544b20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 394}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84221, "scanner": "repobility-supply-chain", "fingerprint": "016281e9817902afeb9915cf8c0564b90b40a9f2ea4d6345dcbfc4ad062bd0ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|016281e9817902afeb9915cf8c0564b90b40a9f2ea4d6345dcbfc4ad062bd0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DavidAnson/markdownlint-cli2-action` pinned to mutable ref `@v20`: `uses: DavidAnson/markdownlint-cli2-action@v20` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84220, "scanner": "repobility-supply-chain", "fingerprint": "b5d8c50ea96e5b9c931c870d1bd8432ec29976246259c492bb0b1a789717e66f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5d8c50ea96e5b9c931c870d1bd8432ec29976246259c492bb0b1a789717e66f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84219, "scanner": "repobility-supply-chain", "fingerprint": "e143eda9f26cc7f79a3fa1427c177d2c2d87398bc703e0db80228fba2e6c837b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e143eda9f26cc7f79a3fa1427c177d2c2d87398bc703e0db80228fba2e6c837b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84218, "scanner": "repobility-supply-chain", "fingerprint": "268c1934f44d1bdb70ad502c0b23fa4110c30ce7915a1b57a4e9b80eb59bd788", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|268c1934f44d1bdb70ad502c0b23fa4110c30ce7915a1b57a4e9b80eb59bd788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84217, "scanner": "repobility-supply-chain", "fingerprint": "4e575f8c73c0f2267736e669b3ee06780c0da5dad016ab64c48dce4ea8be05e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e575f8c73c0f2267736e669b3ee06780c0da5dad016ab64c48dce4ea8be05e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84216, "scanner": "repobility-supply-chain", "fingerprint": "cfd0b77aff31be9a6e6c658baeb5dc6dd4e382dc7af4493a29a908fc73195a37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfd0b77aff31be9a6e6c658baeb5dc6dd4e382dc7af4493a29a908fc73195a37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 310}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84215, "scanner": "repobility-supply-chain", "fingerprint": "950a7a3996605bcf2789f81e1d780541da560c57250b8655f773c36bc7694ec5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|950a7a3996605bcf2789f81e1d780541da560c57250b8655f773c36bc7694ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84214, "scanner": "repobility-supply-chain", "fingerprint": "2874583233d8842b4132e66b738dec6a0fadf928daa9f60c6c1b731d1d310b67", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2874583233d8842b4132e66b738dec6a0fadf928daa9f60c6c1b731d1d310b67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84213, "scanner": "repobility-supply-chain", "fingerprint": "8301add74c52d6ca92181b0fd0a19d44ac5bc2c8e52b11fe28a8cbe6cff4fde3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8301add74c52d6ca92181b0fd0a19d44ac5bc2c8e52b11fe28a8cbe6cff4fde3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84212, "scanner": "repobility-supply-chain", "fingerprint": "cabdc0a9fb945f18bf5b516ace1630f859b20cfa67c1e1fcb1e1c53c86a977c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cabdc0a9fb945f18bf5b516ace1630f859b20cfa67c1e1fcb1e1c53c86a977c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84211, "scanner": "repobility-supply-chain", "fingerprint": "4b98b5c440318704e09a26b8b1376fb1216d3f4038496c5440fd8bb0d6fa9215", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b98b5c440318704e09a26b8b1376fb1216d3f4038496c5440fd8bb0d6fa9215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84210, "scanner": "repobility-supply-chain", "fingerprint": "25084ae73bcded50f9fdf61b997e9d8f35d39c09b9b0b8154be9aef1633da5e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25084ae73bcded50f9fdf61b997e9d8f35d39c09b9b0b8154be9aef1633da5e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84209, "scanner": "repobility-supply-chain", "fingerprint": "acf9f8457227f21a5bdc6dd29d4537ea1e37718d6087f6d0076ab448326b82e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acf9f8457227f21a5bdc6dd29d4537ea1e37718d6087f6d0076ab448326b82e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84208, "scanner": "repobility-supply-chain", "fingerprint": "a3a09d136ffe24ae702c61554d4edba2709551be574c8235450f827f004619bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3a09d136ffe24ae702c61554d4edba2709551be574c8235450f827f004619bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84207, "scanner": "repobility-supply-chain", "fingerprint": "ce7c0efd6026954e698d7142f4f4834eb59219370655e931dd6f73717496bd6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce7c0efd6026954e698d7142f4f4834eb59219370655e931dd6f73717496bd6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84206, "scanner": "repobility-supply-chain", "fingerprint": "755eb1ebebf797d4e095ff5445750fd0992ac4c06907917592edf81e1dc93278", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|755eb1ebebf797d4e095ff5445750fd0992ac4c06907917592edf81e1dc93278"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84205, "scanner": "repobility-supply-chain", "fingerprint": "6cd0d0a8a6c942e88550b5e7faa965f0058c722cbb4b8dd500cdad20b896f9d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cd0d0a8a6c942e88550b5e7faa965f0058c722cbb4b8dd500cdad20b896f9d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `reproducible-containers/buildkit-cache-dance` pinned to mutable ref `@v3`: `uses: reproducible-containers/buildkit-cache-dance@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84204, "scanner": "repobility-supply-chain", "fingerprint": "df52c08e5a565fc8ff9c66c630d2103bb6b6989c101ac821a0c1a83e2872c916", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df52c08e5a565fc8ff9c66c630d2103bb6b6989c101ac821a0c1a83e2872c916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84203, "scanner": "repobility-supply-chain", "fingerprint": "feddf35d7d12ff1dc49b70235593518fa5d63dcb9cba440709847c1c3e40ad52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|feddf35d7d12ff1dc49b70235593518fa5d63dcb9cba440709847c1c3e40ad52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84202, "scanner": "repobility-supply-chain", "fingerprint": "bf916565ed34be235326936a0499c98058031886bf5a5dc4abc0330f38a821e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf916565ed34be235326936a0499c98058031886bf5a5dc4abc0330f38a821e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84201, "scanner": "repobility-supply-chain", "fingerprint": "b6a06e4f92a7f8a4c4ce5178dd4bd7559de73ceb3103679e1ff19349c7a8bd09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6a06e4f92a7f8a4c4ce5178dd4bd7559de73ceb3103679e1ff19349c7a8bd09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_image.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `vedantmgoyal2009/winget-releaser` pinned to mutable ref `@v2`: `uses: vedantmgoyal2009/winget-releaser@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84200, "scanner": "repobility-supply-chain", "fingerprint": "ca93093fd7bc4b3f057db3f1139dc168bcc67bbaa49d1bf73343192603b0a0ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca93093fd7bc4b3f057db3f1139dc168bcc67bbaa49d1bf73343192603b0a0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/winget.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `jenschelkopf/issue-label-notification-action` pinned to mutable ref `@1.3`: `uses: jenschelkopf/issue-label-notification-action@1.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84199, "scanner": "repobility-supply-chain", "fingerprint": "770dac16d58016541c66bf3c0c64ae7729dad2478965f46d47c91b9bc9beb266", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|770dac16d58016541c66bf3c0c64ae7729dad2478965f46d47c91b9bc9beb266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/notify.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84198, "scanner": "repobility-supply-chain", "fingerprint": "b2373ef0cbe35197726646c583f575f2ebc39d394f9e78b00cb74e6b82380f9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2373ef0cbe35197726646c583f575f2ebc39d394f9e78b00cb74e6b82380f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_publish_docker_plugin.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 84197, "scanner": "repobility-supply-chain", "fingerprint": "3c34f03a685461150f6604ad9b1d7c5b9387a80f0f62fb115593758d1b11f982", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c34f03a685461150f6604ad9b1d7c5b9387a80f0f62fb115593758d1b11f982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/docker-plugin/managed/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 84196, "scanner": "repobility-supply-chain", "fingerprint": "ad87b7a61c5a64a1197d593d71a84fa6034710b2cbf7435c46295c2c7c18c328", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad87b7a61c5a64a1197d593d71a84fa6034710b2cbf7435c46295c2c7c18c328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-sftp-openssh/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:stretch` not pinned by digest: `FROM debian:stretch` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 84195, "scanner": "repobility-supply-chain", "fingerprint": "dc4fee0f4574fc9b19189e162b813f063474662bbdde89272cdd1e8684362385", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc4fee0f4574fc9b19189e162b813f063474662bbdde89272cdd1e8684362385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/images/test-hdfs/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 84194, "scanner": "repobility-supply-chain", "fingerprint": "664d911f5b608fd28b4032059d0c4426fb2853532afc05ac8777878313954811", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|664d911f5b608fd28b4032059d0c4426fb2853532afc05ac8777878313954811"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:alpine` not pinned by digest: `FROM golang:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 84193, "scanner": "repobility-supply-chain", "fingerprint": "a2389ab1d31ffc8aa446d5ea7e55edbe90de2beba6f0f2aaa5a0ec2c2cd9b9f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2389ab1d31ffc8aa446d5ea7e55edbe90de2beba6f0f2aaa5a0ec2c2cd9b9f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_rpc_error` of class `TestRclone` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 84192, "scanner": "repobility-ast-engine", "fingerprint": "d13974ddc417943aadf81ccec103abc51ea5eb6a5832c3c3d5dc4d1cef36afc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d13974ddc417943aadf81ccec103abc51ea5eb6a5832c3c3d5dc4d1cef36afc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/test_rclone.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_rpc_error` of class `TestRclone` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 84191, "scanner": "repobility-ast-engine", "fingerprint": "295fa40bdc5086fe97d9ec28f4866b2591baec5722d55a8b42cc5229947f1315", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|295fa40bdc5086fe97d9ec28f4866b2591baec5722d55a8b42cc5229947f1315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/test_rclone.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.rclone` used but never assigned in __init__: Method `test_rpc_error` of class `TestRclone` reads `self.rclone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 84190, "scanner": "repobility-ast-engine", "fingerprint": "1c418519b1a77cfc358748b0025259755cafa309783343ae35656ce58d8ed642", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c418519b1a77cfc358748b0025259755cafa309783343ae35656ce58d8ed642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/test_rclone.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.rclone` used but never assigned in __init__: Method `test_rpc` of class `TestRclone` reads `self.rclone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 84189, "scanner": "repobility-ast-engine", "fingerprint": "df137bfced224316206b0e4398f914d5d8b8c6fc1d9dc84e399b4e30e2937e3f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df137bfced224316206b0e4398f914d5d8b8c6fc1d9dc84e399b4e30e2937e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/test_rclone.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_rpc` of class `TestRclone` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 84188, "scanner": "repobility-ast-engine", "fingerprint": "c1a28aae0a5a3069db97d7cf3e4922aba41c8de04b98ea79a737315930df7fb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1a28aae0a5a3069db97d7cf3e4922aba41c8de04b98ea79a737315930df7fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/python/test_rclone.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server: Test function `test_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 84186, "scanner": "repobility-ast-engine", "fingerprint": "e2397a8f6aec3c86ac14f23fc1dba38850d2fd77f92d4aa307d288ef57127f4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2397a8f6aec3c86ac14f23fc1dba38850d2fd77f92d4aa307d288ef57127f4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/manage_backends.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 84153, "scanner": "repobility-docker", "fingerprint": "e398a32eebd777d9cee50896cae7f25561e97af797a22f10f94aaa603acb14a5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e398a32eebd777d9cee50896cae7f25561e97af797a22f10f94aaa603acb14a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 84114, "scanner": "repobility-threat-engine", "fingerprint": "a6187b3758b7f7186458c084bcea4668447acc51d64ba21755e560c0c8b8672b", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(ctx context.Context, req *fuse.OpenRequest", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|cmd/mount/file.go|67|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/mount/file.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 84111, "scanner": "repobility-threat-engine", "fingerprint": "dc5169e10dd2ff8d7672fae779e3b0687c85b6b960b6bdb56fee064951cb7ddd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc5169e10dd2ff8d7672fae779e3b0687c85b6b960b6bdb56fee064951cb7ddd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "librclone/librclone/librclone.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 84110, "scanner": "repobility-threat-engine", "fingerprint": "60c21d70114ca87ef55929d25a2c492f10151f538e74e899bf813de18859fa72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60c21d70114ca87ef55929d25a2c492f10151f538e74e899bf813de18859fa72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/serve/dlna/dlna_util.go"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 84109, "scanner": "repobility-threat-engine", "fingerprint": "6f5c520a588c83b0616a7ab7d83f1595dea95d478b4c7f84209d70b6c0b449e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f5c520a588c83b0616a7ab7d83f1595dea95d478b4c7f84209d70b6c0b449e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/cmount/mount.go"}, "region": {"startLine": 154}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 84108, "scanner": "repobility-threat-engine", "fingerprint": "8e4d56a624d448d4a3b4fd9639f44ced97cd395400373de1091c555ce7643deb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(script,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e4d56a624d448d4a3b4fd9639f44ced97cd395400373de1091c555ce7643deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fstest/testserver/testserver.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 84107, "scanner": "repobility-threat-engine", "fingerprint": "833538ac5abdf368c8df8d8b45a28c38a2c811d7b672f4417eab0c69a36d8ca4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|833538ac5abdf368c8df8d8b45a28c38a2c811d7b672f4417eab0c69a36d8ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/sftp/ssh_external.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 84094, "scanner": "repobility-threat-engine", "fingerprint": "4b1d539da8a59bce508e2aee1a2445e066ba69f4057eac4d6d48fc50f6268e9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b1d539da8a59bce508e2aee1a2445e066ba69f4057eac4d6d48fc50f6268e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/plex.go"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84093, "scanner": "repobility-threat-engine", "fingerprint": "56dae6ccbe77a6d33ed277bdf8bc66f1fc2c9be59c5cc7f91ca13d9c5ec810f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "kf.errCache.Delete(resolvedPath)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56dae6ccbe77a6d33ed277bdf8bc66f1fc2c9be59c5cc7f91ca13d9c5ec810f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/smb/kerberos.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84092, "scanner": "repobility-threat-engine", "fingerprint": "021857c714e2eb3b1505cefb803fe78cda273df1719753c2ff7c5330e3d9ec96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "m.db.Delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|021857c714e2eb3b1505cefb803fe78cda273df1719753c2ff7c5330e3d9ec96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/storage_memory.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84091, "scanner": "repobility-threat-engine", "fingerprint": "c310d617cbbee0fa4cc3e3b59da13ba8453fae83b7de4350dbfbbcac0c27b2f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "p.stateCache.Delete(v.Key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c310d617cbbee0fa4cc3e3b59da13ba8453fae83b7de4350dbfbbcac0c27b2f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/plex.go"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 84090, "scanner": "repobility-threat-engine", "fingerprint": "0b0995fa73bc041d768cef3bb10fa2bbb98ea83efacc820eba3d8e4f967cdee6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b0995fa73bc041d768cef3bb10fa2bbb98ea83efacc820eba3d8e4f967cdee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/plex.go"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84088, "scanner": "repobility-threat-engine", "fingerprint": "544736ea1ef96c2142cf81aa67a1a793831bc80518090a6c316c4c6a0134037a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|544736ea1ef96c2142cf81aa67a1a793831bc80518090a6c316c4c6a0134037a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/imagekit/client/url.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84087, "scanner": "repobility-threat-engine", "fingerprint": "2e03647adada6f6ba017415f352c1311322ddc77015dbe2465ed4021ac69f709", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e03647adada6f6ba017415f352c1311322ddc77015dbe2465ed4021ac69f709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/doi/invenio.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84086, "scanner": "repobility-threat-engine", "fingerprint": "ca71522f955dee5f9ea872c04dfde521440833e5a540abf653bcdbaad043e399", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.NewRequest(\"GET\", f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca71522f955dee5f9ea872c04dfde521440833e5a540abf653bcdbaad043e399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/plex.go"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 84076, "scanner": "repobility-threat-engine", "fingerprint": "2377cba29cfe021806381f6a4b0a25aeda678c0409aa9d81be46639c523069ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2377cba29cfe021806381f6a4b0a25aeda678c0409aa9d81be46639c523069ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/gzip_handler.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 84075, "scanner": "repobility-threat-engine", "fingerprint": "75def20ddb06935c1534e04f02fa34ce1a4c90b7623e0f49389c1ccd1c77471c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75def20ddb06935c1534e04f02fa34ce1a4c90b7623e0f49389c1ccd1c77471c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/box/upload.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 84074, "scanner": "repobility-threat-engine", "fingerprint": "488a0108bed2a66a0c22345d9f85c69fc583ec57828d6a6762ba811e34e4a701", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|488a0108bed2a66a0c22345d9f85c69fc583ec57828d6a6762ba811e34e4a701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/box/api/types.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 84072, "scanner": "repobility-threat-engine", "fingerprint": "35c72aec319d8f16ba5204c4dd40f9e7e0154d8bd135557bc520c305788b254f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35c72aec319d8f16ba5204c4dd40f9e7e0154d8bd135557bc520c305788b254f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/compress/gzip_handler.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 84071, "scanner": "repobility-threat-engine", "fingerprint": "da8bb8a9f63dfc9e41a8b184b7bd643e98912a4be38f90b6be35b51a4dbca549", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da8bb8a9f63dfc9e41a8b184b7bd643e98912a4be38f90b6be35b51a4dbca549"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cache/object.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 84070, "scanner": "repobility-threat-engine", "fingerprint": "3976f0990d9e6f48fc9da7bd713fa5e3132c16806846c7090566f0680e91ef73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3976f0990d9e6f48fc9da7bd713fa5e3132c16806846c7090566f0680e91ef73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/archive/squashfs/squashfs.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RCLONE_CONFIG_PASS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RCLONE_CONFIG_PASS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84224, "scanner": "repobility-supply-chain", "fingerprint": "da869e6a83d1b12e12e5a15b8b281d68557704b3930eb94f158f99d343ed1b60", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da869e6a83d1b12e12e5a15b8b281d68557704b3930eb94f158f99d343ed1b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 496}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RCLONE_CONFIG_PASS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RCLONE_CONFIG_PASS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84223, "scanner": "repobility-supply-chain", "fingerprint": "a4841fd8e8d200313c7b529744041822ea5f383ae660f26a240627aa518f5719", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4841fd8e8d200313c7b529744041822ea5f383ae660f26a240627aa518f5719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 84183, "scanner": "repobility-ast-engine", "fingerprint": "16dcecf8480b42f0765f4c69d66b0be720a56ba0a82e43f19b6182674d8c8a87", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16dcecf8480b42f0765f4c69d66b0be720a56ba0a82e43f19b6182674d8c8a87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/update-authors.py"}, "region": {"startLine": 59}}}]}]}]}