{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/:...slug/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `undici` is 2 major version(s) behind (^6.0.0 -> 8.3.0)", "shortDescription": {"text": "npm package `undici` is 2 major version(s) behind (^6.0.0 -> 8.3.0)"}, "fullDescription": {"text": "`undici` is pinned/resolved at ^6.0.0 but the latest stable release on the npm registry is 8.3.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/rbubley/mirrors-prettier` pinned to mutable rev `v3.3.2`", "shortDescription": {"text": "pre-commit hook `https://github.com/rbubley/mirrors-prettier` pinned to mutable rev `v3.3.2`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/rbubley/mirrors-prettier` at `rev: v3.3.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /proxy/v1/*splat has no auth", "shortDescription": {"text": "Express POST /proxy/v1/*splat has no auth"}, "fullDescription": {"text": "Express route POST /proxy/v1/*splat declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.TEST_CLOUDFLARE_API_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.TEST_CLOUDFLARE_API_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEST_CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1218"}, "properties": {"repository": "braintrustdata/braintrust-proxy", "repoUrl": "https://github.com/braintrustdata/braintrust-proxy", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 123028, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 123027, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 123022, "scanner": "repobility-journey-contract", "fingerprint": "8d828ecec804f5f6cc530fa21e346ec18cd3cdfa83db127fb4c3d1a487d6128a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ping", "correlation_key": "fp|8d828ecec804f5f6cc530fa21e346ec18cd3cdfa83db127fb4c3d1a487d6128a", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/pages/index.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/:...slug/route."}, "properties": {"repobilityId": 123021, "scanner": "repobility-access-control", "fingerprint": "f1025f70df9899d643efdf1d4d90c72d67560b5006d84dac1f4ccf80934e8bb6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/:...slug/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apis/vercel/app/api/v1/ ...slug /route.ts|180|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/app/api/v1/[...slug]/route.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/:...slug/route."}, "properties": {"repobilityId": 123020, "scanner": "repobility-access-control", "fingerprint": "734947c599ea3026b48ab4c587d827d5af6b008e92f1d022ac8b669164ce046c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/:...slug/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apis/vercel/app/api/v1/ ...slug /route.ts|176|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/app/api/v1/[...slug]/route.ts"}, "region": {"startLine": 176}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ping/route."}, "properties": {"repobilityId": 123019, "scanner": "repobility-access-control", "fingerprint": "5ad60a06b8e01dd0e97f23c154c4bc37d975683a364ea27063fd19f48db44539", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/ping/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|8|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/app/api/ping/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 123018, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 3, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 123017, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 123016, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 123015, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 123011, "scanner": "repobility-threat-engine", "fingerprint": "cb0b179ad5636e26899d0034006ef00fcabc287adada754e3edd5002a01ec889", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n        return null;\n      }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb0b179ad5636e26899d0034006ef00fcabc287adada754e3edd5002a01ec889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/utils/tests.ts"}, "region": {"startLine": 271}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 123009, "scanner": "repobility-threat-engine", "fingerprint": "e1800720975262813eebc1c3f0ba7644ef7a8673b5e10f5060da8de669db76b5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1800720975262813eebc1c3f0ba7644ef7a8673b5e10f5060da8de669db76b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/src/util.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 122982, "scanner": "repobility-agent-runtime", "fingerprint": "be785e2f61c1321a1a7bdc75f3db38dfa7b6a22dda443fa26d58bbc1a1e98779", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|be785e2f61c1321a1a7bdc75f3db38dfa7b6a22dda443fa26d58bbc1a1e98779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/src/providers/util.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `undici` is 2 major version(s) behind (^6.0.0 -> 8.3.0)"}, "properties": {"repobilityId": 122981, "scanner": "repobility-dependency-currency", "fingerprint": "691cf47902e097f1c630e7c475c6ee56dc176d8bc2cc22a94bef6b2e220beebe", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "undici", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.3.0", "correlation_key": "fp|691cf47902e097f1c630e7c475c6ee56dc176d8bc2cc22a94bef6b2e220beebe", "current_version": "^6.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vercel/kv` is 3 major version(s) behind (^0.2.2 -> 3.0.0)"}, "properties": {"repobilityId": 122980, "scanner": "repobility-dependency-currency", "fingerprint": "70ae5804c27b3610c21a792675b4ef5854570e2b86ed66d76da704caf46aee00", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vercel/kv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|70ae5804c27b3610c21a792675b4ef5854570e2b86ed66d76da704caf46aee00", "current_version": "^0.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `yargs` is 1 major version(s) behind (^17.7.2 -> 18.0.0)"}, "properties": {"repobilityId": 122978, "scanner": "repobility-dependency-currency", "fingerprint": "ebc5f8e83a2e559441714e510628ea7c32bf6e87b2c9b946975d6d2652dba912", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "yargs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.0", "correlation_key": "fp|ebc5f8e83a2e559441714e510628ea7c32bf6e87b2c9b946975d6d2652dba912", "current_version": "^17.7.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/uuid` is 2 major version(s) behind (^9.0.7 -> 11.0.0)"}, "properties": {"repobilityId": 122974, "scanner": "repobility-dependency-currency", "fingerprint": "167d396fe2e13dd645f1de73922cfe4238850fe0a54050049b159dc28ce19fee", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.0", "correlation_key": "fp|167d396fe2e13dd645f1de73922cfe4238850fe0a54050049b159dc28ce19fee", "current_version": "^9.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `uuid` is 5 major version(s) behind (^9.0.1 -> 14.0.0)"}, "properties": {"repobilityId": 122971, "scanner": "repobility-dependency-currency", "fingerprint": "e3f83b636f6606608baf196d443e33f52d40692ce122bc7091a6edcc14dac375", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|e3f83b636f6606608baf196d443e33f52d40692ce122bc7091a6edcc14dac375", "current_version": "^9.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jose` is 1 major version(s) behind (^5.9.6 -> 6.2.3)"}, "properties": {"repobilityId": 122970, "scanner": "repobility-dependency-currency", "fingerprint": "2c1b611b28f1188be03be835169fa8e1ee78aa4b8ccf1a4f93e89d82c85229b0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jose", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.3", "correlation_key": "fp|2c1b611b28f1188be03be835169fa8e1ee78aa4b8ccf1a4f93e89d82c85229b0", "current_version": "^5.9.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eventsource-parser` is 2 major version(s) behind (^1.1.1 -> 3.1.0)"}, "properties": {"repobilityId": 122969, "scanner": "repobility-dependency-currency", "fingerprint": "40d18b99f388964f78389365ed3b9636d0a75b4652021f6ea9b7282d768e66e6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eventsource-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|40d18b99f388964f78389365ed3b9636d0a75b4652021f6ea9b7282d768e66e6", "current_version": "^1.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `content-disposition` is 2 major version(s) behind (^0.5.4 -> 2.0.1)"}, "properties": {"repobilityId": 122967, "scanner": "repobility-dependency-currency", "fingerprint": "70b6879d37883a3223346c4a223f4fa80333cff9019dd1a9d1e51f966ddabe67", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "content-disposition", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.1", "correlation_key": "fp|70b6879d37883a3223346c4a223f4fa80333cff9019dd1a9d1e51f966ddabe67", "current_version": "^0.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 123026, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 123025, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 123024, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 123023, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `zod-to-json-schema` is minor version(s) behind (^3.24.6 -> 3.25.2)"}, "properties": {"repobilityId": 122979, "scanner": "repobility-dependency-currency", "fingerprint": "c81adef6196d517e38fc95f9f93d7be281722522c734af9a8c246786385447a3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zod-to-json-schema", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.25.2", "correlation_key": "fp|c81adef6196d517e38fc95f9f93d7be281722522c734af9a8c246786385447a3", "current_version": "^3.24.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (^4.8.1 -> 4.22.4)"}, "properties": {"repobilityId": 122977, "scanner": "repobility-dependency-currency", "fingerprint": "85c400b5307843775a9f51aaa92f143bb67374c7d96c7f08ade1b82623bab217", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|85c400b5307843775a9f51aaa92f143bb67374c7d96c7f08ade1b82623bab217", "current_version": "^4.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (^0.27.0 -> 0.28.0)"}, "properties": {"repobilityId": 122976, "scanner": "repobility-dependency-currency", "fingerprint": "54dee84acfa6813c08cc3379aa9e4196e79d1b488f2e0ed755e6f087807ba721", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|54dee84acfa6813c08cc3379aa9e4196e79d1b488f2e0ed755e6f087807ba721", "current_version": "^0.27.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `cache-control-parser` is minor version(s) behind (^2.0.6 -> 2.2.0)"}, "properties": {"repobilityId": 122966, "scanner": "repobility-dependency-currency", "fingerprint": "eaa3ff6776da7259da03c85a8a5157157146f51f84d271e4e7cb597bf75cb3df", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cache-control-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.0", "correlation_key": "fp|eaa3ff6776da7259da03c85a8a5157157146f51f84d271e4e7cb597bf75cb3df", "current_version": "^2.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/sdk-metrics` is minor version(s) behind (^2.1.0 -> 2.7.1)"}, "properties": {"repobilityId": 122965, "scanner": "repobility-dependency-currency", "fingerprint": "dec70780efe167dac26917a3781cfc8d2c88608ba456739a81f92dc1c023605d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/sdk-metrics", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|dec70780efe167dac26917a3781cfc8d2c88608ba456739a81f92dc1c023605d", "current_version": "^2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/resources` is minor version(s) behind (^2.1.0 -> 2.7.1)"}, "properties": {"repobilityId": 122964, "scanner": "repobility-dependency-currency", "fingerprint": "a2db2f54955e2ca44a1a31775c46ad60a38d8929a4b74692ddce36c42b4c90ae", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/resources", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|a2db2f54955e2ca44a1a31775c46ad60a38d8929a4b74692ddce36c42b4c90ae", "current_version": "^2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/exporter-metrics-otlp-http` is minor version(s) behind (^0.204.0 -> 0.218.0)"}, "properties": {"repobilityId": 122963, "scanner": "repobility-dependency-currency", "fingerprint": "b149d5e09e0ca067d361b4c446021f9c2a2d2cb019692f554760f13b9d91f61c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/exporter-metrics-otlp-http", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.218.0", "correlation_key": "fp|b149d5e09e0ca067d361b4c446021f9c2a2d2cb019692f554760f13b9d91f61c", "current_version": "^0.204.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/core` is minor version(s) behind (^2.1.0 -> 2.7.1)"}, "properties": {"repobilityId": 122962, "scanner": "repobility-dependency-currency", "fingerprint": "1330404b9eea40da3a816107f9b33c9ce2025282a35ac7d831cbee9e4bd9dfee", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|1330404b9eea40da3a816107f9b33c9ce2025282a35ac7d831cbee9e4bd9dfee", "current_version": "^2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@openapi-contrib/json-schema-to-openapi-schema` is minor version(s) behind (^4.2.0 -> 4.3.2)"}, "properties": {"repobilityId": 122960, "scanner": "repobility-dependency-currency", "fingerprint": "3773805ea0ba111e2e03395054662d17502aab9de442c246b1cb20f5063740b8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@openapi-contrib/json-schema-to-openapi-schema", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.3.2", "correlation_key": "fp|3773805ea0ba111e2e03395054662d17502aab9de442c246b1cb20f5063740b8", "current_version": "^4.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@aws-sdk/client-bedrock-runtime` is minor version(s) behind (3.1042.0 -> 3.1063.0)"}, "properties": {"repobilityId": 122959, "scanner": "repobility-dependency-currency", "fingerprint": "ba2aefb37b51cee110ef505ea03d20a2e3e49f668bb561a236eacca995bf814d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@aws-sdk/client-bedrock-runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1063.0", "correlation_key": "fp|ba2aefb37b51cee110ef505ea03d20a2e3e49f668bb561a236eacca995bf814d", "current_version": "3.1042.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@anthropic-ai/sdk` is minor version(s) behind (^0.95.1 -> 0.100.1)"}, "properties": {"repobilityId": 122958, "scanner": "repobility-dependency-currency", "fingerprint": "1d0adceec4ba978cfd3866a44bbdea3e3ab2064d7a9317fbbc7f10a4e65a1d94", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.100.1", "correlation_key": "fp|1d0adceec4ba978cfd3866a44bbdea3e3ab2064d7a9317fbbc7f10a4e65a1d94", "current_version": "^0.95.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier` is minor version(s) behind (3.3.2 -> 3.8.3)"}, "properties": {"repobilityId": 122957, "scanner": "repobility-dependency-currency", "fingerprint": "d3da881bd00409e1df2add7e10ce3137b3195f09623a120429289f8ea8a07d49", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|d3da881bd00409e1df2add7e10ce3137b3195f09623a120429289f8ea8a07d49", "current_version": "3.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 122943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2554570fd1917bd310686f6e5bbb6238bf05ea1907d335457607b39feb333a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apis/cloudflare/src/proxy.ts", "duplicate_line": 127, "correlation_key": "fp|b2554570fd1917bd310686f6e5bbb6238bf05ea1907d335457607b39feb333a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/realtime.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 123006, "scanner": "repobility-threat-engine", "fingerprint": "4924569251a699ff2356edd0cdc4d0cf19713d0af47def2926e3620ce794ed04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4924569251a699ff2356edd0cdc4d0cf19713d0af47def2926e3620ce794ed04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/src/util.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 123005, "scanner": "repobility-threat-engine", "fingerprint": "7fb475a71c74daad3d576d057a02e758d471ab10177cc2012ce7ce7171b0a829", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fb475a71c74daad3d576d057a02e758d471ab10177cc2012ce7ce7171b0a829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/node-proxy.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 123004, "scanner": "repobility-threat-engine", "fingerprint": "ff49cf1bbb9c37fb7763d13722310214fa2082e7013aaba025ac91207bd22a88", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff49cf1bbb9c37fb7763d13722310214fa2082e7013aaba025ac91207bd22a88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/local.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 123002, "scanner": "repobility-threat-engine", "fingerprint": "95723df1c326cac4357c3870304ece0e2c4f10d325710e9eed80bdc140e867a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95723df1c326cac4357c3870304ece0e2c4f10d325710e9eed80bdc140e867a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/src/metrics.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 123001, "scanner": "repobility-threat-engine", "fingerprint": "50e02ba2133ba41b8767e04cfc54d35acb3546242ba47a26cc414cd651ff3a78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50e02ba2133ba41b8767e04cfc54d35acb3546242ba47a26cc414cd651ff3a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/realtime.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 123000, "scanner": "repobility-threat-engine", "fingerprint": "d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "aggregated_count": 2}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 122999, "scanner": "repobility-threat-engine", "fingerprint": "3e7ca86c8fbdd64e4756cdfe154a09984b991a5f8061e1ba125a758798da6fc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e7ca86c8fbdd64e4756cdfe154a09984b991a5f8061e1ba125a758798da6fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/schema/media-types.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 122998, "scanner": "repobility-threat-engine", "fingerprint": "dea6aaaa9717876629eaa5617c0825476d396ac28ec58ba509722dbc6f5a263d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dea6aaaa9717876629eaa5617c0825476d396ac28ec58ba509722dbc6f5a263d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/login.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 122997, "scanner": "repobility-threat-engine", "fingerprint": "511c530e030396cf24cc1d9a2fd314e7990760af9759aaf5a832a766d06ae713", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|511c530e030396cf24cc1d9a2fd314e7990760af9759aaf5a832a766d06ae713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/realtime.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 122996, "scanner": "repobility-threat-engine", "fingerprint": "1e23ec0de5208478d6f4123b2d64fcf9b0ce84174d5f23aecd4276c4b01a1979", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e23ec0de5208478d6f4123b2d64fcf9b0ce84174d5f23aecd4276c4b01a1979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/local.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 122995, "scanner": "repobility-threat-engine", "fingerprint": "e98edf2c6eaef8364e85e2d9b1420cf1d3b7acb071afc5e300557a0f263ccd1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e98edf2c6eaef8364e85e2d9b1420cf1d3b7acb071afc5e300557a0f263ccd1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/proxy.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 122994, "scanner": "repobility-threat-engine", "fingerprint": "a0722990d80046eb9cde9ca003acda828138aeb559f6d8a4d919df23a2a43642", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0722990d80046eb9cde9ca003acda828138aeb559f6d8a4d919df23a2a43642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/index.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 122993, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 122989, "scanner": "repobility-threat-engine", "fingerprint": "5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "aggregated_count": 10}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 122988, "scanner": "repobility-threat-engine", "fingerprint": "39b671a4ee785ec5537e1a851325a953187d12fc02fe977a5d961347aa4b1055", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39b671a4ee785ec5537e1a851325a953187d12fc02fe977a5d961347aa4b1055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/realtime.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 122987, "scanner": "repobility-threat-engine", "fingerprint": "e26b6d18fca6cc8ef850903756ae152e679163274fbea0584b85658e3bf815a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e26b6d18fca6cc8ef850903756ae152e679163274fbea0584b85658e3bf815a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/proxy.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 122986, "scanner": "repobility-threat-engine", "fingerprint": "28bd7c414a722c39ec7d8be70f3a7cac8dc16bf37f2b475bc4cb4e1b4f9f93ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28bd7c414a722c39ec7d8be70f3a7cac8dc16bf37f2b475bc4cb4e1b4f9f93ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/billing.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 122985, "scanner": "repobility-threat-engine", "fingerprint": "52f2792aa39bc6dc6a43b065c5cd4b06d924649d03cc4561e9a9917e2b1e122e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|apis/vercel/app/api/v1/ ...slug /route.ts|87|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/vercel/app/api/v1/[...slug]/route.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 122984, "scanner": "repobility-threat-engine", "fingerprint": "b78363b5a8858805b7c062d4198045d7d81c92613ec8127e9dfb6bcb603ceaf7", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|29|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/billing.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 122983, "scanner": "repobility-threat-engine", "fingerprint": "b7f86eb141f6c4a47e0ce24a221457b6e531744dede9301bee52ea4910df7c34", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn(\"billing event skipped: missing token usage\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.warn billing event skipped: missing token usage"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/billing.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/yargs` is patch version(s) behind (^17.0.33 -> 17.0.35)"}, "properties": {"repobilityId": 122975, "scanner": "repobility-dependency-currency", "fingerprint": "362c09afe585bebdb681732f2671f0c36ad93b8b96ce5197da737e9345985110", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/yargs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.35", "correlation_key": "fp|362c09afe585bebdb681732f2671f0c36ad93b8b96ce5197da737e9345985110", "current_version": "^17.0.33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/jsonwebtoken` is patch version(s) behind (^9.0.7 -> 9.0.10)"}, "properties": {"repobilityId": 122973, "scanner": "repobility-dependency-currency", "fingerprint": "77bc2299bacf14fc03dcdbb4d82bd076164cb6eb08282e11ea55b33a3845ed42", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jsonwebtoken", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.10", "correlation_key": "fp|77bc2299bacf14fc03dcdbb4d82bd076164cb6eb08282e11ea55b33a3845ed42", "current_version": "^9.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/content-disposition` is patch version(s) behind (^0.5.8 -> 0.5.9)"}, "properties": {"repobilityId": 122972, "scanner": "repobility-dependency-currency", "fingerprint": "efa81c46177182469c6d70847c21c60107b50209c6d33236f5f5b7c783611689", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/content-disposition", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.9", "correlation_key": "fp|efa81c46177182469c6d70847c21c60107b50209c6d33236f5f5b7c783611689", "current_version": "^0.5.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dereference-json-schema` is patch version(s) behind (^0.2.1 -> 0.2.2)"}, "properties": {"repobilityId": 122968, "scanner": "repobility-dependency-currency", "fingerprint": "001254a91e375a6e575306de38b3cf8dcefe7e8270b7d5cf414d4c8be0c19f80", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dereference-json-schema", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.2", "correlation_key": "fp|001254a91e375a6e575306de38b3cf8dcefe7e8270b7d5cf414d4c8be0c19f80", "current_version": "^0.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@opentelemetry/api` is patch version(s) behind (1.9.0 -> 1.9.1)"}, "properties": {"repobilityId": 122961, "scanner": "repobility-dependency-currency", "fingerprint": "88390c41a645c500b7478b35a073b8bda8d14cdc6ea75ba639fc9c3061fbfba0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.9.1", "correlation_key": "fp|88390c41a645c500b7478b35a073b8bda8d14cdc6ea75ba639fc9c3061fbfba0", "current_version": "1.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 123010, "scanner": "repobility-threat-engine", "fingerprint": "218d63c485ffaa184277f87d2ff4b1621fa85d089ea0a543f2d7bad63269d732", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "importedEncryptionKeys.delete(oldestKey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|218d63c485ffaa184277f87d2ff4b1621fa85d089ea0a543f2d7bad63269d732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/utils/encrypt.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 123008, "scanner": "repobility-threat-engine", "fingerprint": "6cc4dda828ef204a86f21a7dab43f5d7c520d49f4322177c33ccc6d4ade017e2", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n        ({ content, role }) => `<|im_start|>${role}\n${content}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6cc4dda828ef204a86f21a7dab43f5d7c520d49f4322177c33ccc6d4ade017e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/schema/translate.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 123007, "scanner": "repobility-threat-engine", "fingerprint": "11e6179df33d2aa4301026d672bcddbddfe68bb56543308c6e1349ce445a961c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11e6179df33d2aa4301026d672bcddbddfe68bb56543308c6e1349ce445a961c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/node-proxy.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 123003, "scanner": "repobility-threat-engine", "fingerprint": "8f9bc556ccb5b687a31cb7ff27ea4fae1e77ef11f519c5fe3b26acca432b48ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/proxy/v1/*splat\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f9bc556ccb5b687a31cb7ff27ea4fae1e77ef11f519c5fe3b26acca432b48ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/local.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 122992, "scanner": "repobility-threat-engine", "fingerprint": "ae810ed8c0c0cab242334638a2996d37f1c1dca96876d1b4d9a7569f43ab9701", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae810ed8c0c0cab242334638a2996d37f1c1dca96876d1b4d9a7569f43ab9701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/proxy.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 122991, "scanner": "repobility-threat-engine", "fingerprint": "5748a1571481cb75d23bb207eba93c05f8e391ac31008c9468b77c145469bc15", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5748a1571481cb75d23bb207eba93c05f8e391ac31008c9468b77c145469bc15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 122990, "scanner": "repobility-threat-engine", "fingerprint": "f3563a5411e284c0f9acd89d5ade0cf9852e0d871cab30b278f4dbae60900c2a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3563a5411e284c0f9acd89d5ade0cf9852e0d871cab30b278f4dbae60900c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/cloudflare/src/env.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/rbubley/mirrors-prettier` pinned to mutable rev `v3.3.2`"}, "properties": {"repobilityId": 122946, "scanner": "repobility-supply-chain", "fingerprint": "58880376fe6f071deaee787bc45492c42538844a74eb0b4ead820486debe9463", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58880376fe6f071deaee787bc45492c42538844a74eb0b4ead820486debe9463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/codespell-project/codespell` pinned to mutable rev `v2.2.5`"}, "properties": {"repobilityId": 122945, "scanner": "repobility-supply-chain", "fingerprint": "b71cadf2a6a33f1b03800ff5a4e0f4eadadbab9adfc7dd7fe35da420cf0ca7be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b71cadf2a6a33f1b03800ff5a4e0f4eadadbab9adfc7dd7fe35da420cf0ca7be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /proxy/v1/*splat has no auth"}, "properties": {"repobilityId": 122944, "scanner": "repobility-route-auth", "fingerprint": "4d2b51b62e0765506d92cb827ed0a600ec3f12263fb5da12d17c4c6e1d72b23b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4d2b51b62e0765506d92cb827ed0a600ec3f12263fb5da12d17c4c6e1d72b23b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apis/node/src/local.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 123014, "scanner": "gitleaks", "fingerprint": "bfd8e7ff50114745dc391180c5c2e68e47f937158519e186bdd83edfb5ee6ece", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|6|secret : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/utils/tempCredentials.test.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 123013, "scanner": "gitleaks", "fingerprint": "0245cb0b2f1b44662209da213ff0e442862c3f20dd34e93ca537f554e6917d4b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/utils/tempCredentials.test.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 123012, "scanner": "gitleaks", "fingerprint": "928613ad3d31b94fdc9686375018cb08d0aa57d2fef2b5fd56f42c59aca7ff07", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|3|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["jwt"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["6936fc37b37f7bc0e5478cd9407654fe0bef72105be3c4951d2f897aeacc3e5f", "928613ad3d31b94fdc9686375018cb08d0aa57d2fef2b5fd56f42c59aca7ff07"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/proxy/utils/tempCredentials.test.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TEST_CLOUDFLARE_API_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 122956, "scanner": "repobility-supply-chain", "fingerprint": "834bd202da7d8936689bd5d7d6dbeddccb1dd142012fb02bd8e7515800dfc975", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|834bd202da7d8936689bd5d7d6dbeddccb1dd142012fb02bd8e7515800dfc975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TEST_CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 122955, "scanner": "repobility-supply-chain", "fingerprint": "9ea80e4fae982b78ca2ce2cf371e8fb84110b7c2fa261ae438214d7f9861a013", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ea80e4fae982b78ca2ce2cf371e8fb84110b7c2fa261ae438214d7f9861a013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TEST_CLOUDFLARE_API_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 122954, "scanner": "repobility-supply-chain", "fingerprint": "5e93ab1842889535f0a2cab0eeb7cdd5e92695a5e25b5d0a828bfb350403eef3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e93ab1842889535f0a2cab0eeb7cdd5e92695a5e25b5d0a828bfb350403eef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TEST_CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 122953, "scanner": "repobility-supply-chain", "fingerprint": "0efc690b8ab746fbb01b465d788ebc3fdfd250197df101c15ad4b77467dfe00e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0efc690b8ab746fbb01b465d788ebc3fdfd250197df101c15ad4b77467dfe00e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_OPENAI_API_VERSION` on a `pull_request` trigger"}, "properties": {"repobilityId": 122952, "scanner": "repobility-supply-chain", "fingerprint": "a771d9050b5b36e2abbbed1242ca53f3d27ae6348c90384cc77cb3e49477d97c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a771d9050b5b36e2abbbed1242ca53f3d27ae6348c90384cc77cb3e49477d97c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_OPENAI_ENDPOINT` on a `pull_request` trigger"}, "properties": {"repobilityId": 122951, "scanner": "repobility-supply-chain", "fingerprint": "0cc6e7a88823f28e14224389bafc3be9ede216382ac81f7803f6c2442d2b1127", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cc6e7a88823f28e14224389bafc3be9ede216382ac81f7803f6c2442d2b1127"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_OPENAI_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 122950, "scanner": "repobility-supply-chain", "fingerprint": "c5a59f7c4cf1b96a1e86f14b482d346eab3447bb7bbdd357641c33faa97b9876", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5a59f7c4cf1b96a1e86f14b482d346eab3447bb7bbdd357641c33faa97b9876"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 122949, "scanner": "repobility-supply-chain", "fingerprint": "4c4b9d78f55f863142c62e5a48e98f7a1f6a57b2514a6e1758132cc6bcdc5c03", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c4b9d78f55f863142c62e5a48e98f7a1f6a57b2514a6e1758132cc6bcdc5c03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 122948, "scanner": "repobility-supply-chain", "fingerprint": "7bd4084aa6472f8f3ed076c864123c3a6693f24e724f2e0a5b7586ac1cdea2d7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bd4084aa6472f8f3ed076c864123c3a6693f24e724f2e0a5b7586ac1cdea2d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 122947, "scanner": "repobility-supply-chain", "fingerprint": "3761f2c27b84a9a3ade774d10238184cdf0a8248a1759e3746699e00794f6196", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3761f2c27b84a9a3ade774d10238184cdf0a8248a1759e3746699e00794f6196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js.yaml"}, "region": {"startLine": 73}}}]}]}]}