{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)", "shortDescription": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@biomejs/biome` is 1 major version(s) behind (^1.9.4 -> 2.4.16)", "shortDescription": {"text": "npm package `@biomejs/biome` is 1 major version(s) behind (^1.9.4 -> 2.4.16)"}, "fullDescription": {"text": "`@biomejs/biome` is pinned/resolved at ^1.9.4 but the latest stable release on the npm registry is 2.4.16 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /v1/agent/decide has no auth", "shortDescription": {"text": "Express POST /v1/agent/decide has no auth"}, "fullDescription": {"text": "Express route POST /v1/agent/decide declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: POST /v1/admin/sync-mirror", "shortDescription": {"text": "Admin endpoint without auth: POST /v1/admin/sync-mirror"}, "fullDescription": {"text": "Express route on /admin path (/v1/admin/sync-mirror) with no auth middleware."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1400"}, "properties": {"repository": "foru17/make-x-great-again", "repoUrl": "https://github.com/foru17/make-x-great-again", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 143688, "scanner": "osv-scanner", "fingerprint": "cafb5373b4b993df1df5bda5d0afc3f786a3553f8f068686cc50b9f8f2e39cbe", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 143687, "scanner": "osv-scanner", "fingerprint": "c0132011b316e76f54f22bb5a1e6cc38c49a9783432b6281b69e05890936f31d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 143686, "scanner": "osv-scanner", "fingerprint": "13c425e3aa1eb01dc351e57d3ff5591401a699fb7fa53cd0e18bb31e104795d9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 143685, "scanner": "osv-scanner", "fingerprint": "53fd2d962ee9752ac8e48b8cf3cb32e695c1602ad4b2b6f8fb7015b01f95e886", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 143684, "scanner": "osv-scanner", "fingerprint": "3dbd69851b1c7465e30b18a320c3a86b239b201fc17b52d92024a0bf36a328f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 143683, "scanner": "osv-scanner", "fingerprint": "b07547ad45d8843896be651aed0bbef10fee0093bf1c94ca3fb9d5d92aa08ce5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|extension/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 143671, "scanner": "repobility-threat-engine", "fingerprint": "125209f2664b7de75997d9d2301cd4a67b0ee0e6ae1bf1e5a665c681d689f8c2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|125209f2664b7de75997d9d2301cd4a67b0ee0e6ae1bf1e5a665c681d689f8c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/entrypoints/x-graphql-main.content.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 143668, "scanner": "repobility-agent-runtime", "fingerprint": "c4ddd22fc15b5bde1401cda66d8aac7e4e76529925375b2e124fecb28a345268", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|c4ddd22fc15b5bde1401cda66d8aac7e4e76529925375b2e124fecb28a345268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/pages/landing.ts"}, "region": {"startLine": 886}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 143667, "scanner": "repobility-agent-runtime", "fingerprint": "5e89685c8ae67602e87c2b1463b595adc8d1563021deece11ec097dd67e26917", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|5e89685c8ae67602e87c2b1463b595adc8d1563021deece11ec097dd67e26917"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/pages/admin.ts"}, "region": {"startLine": 493}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 143666, "scanner": "repobility-agent-runtime", "fingerprint": "7a9baa70c38d4c692d3d20f0731807262edb4e0544d8b3edb07de2772c9c2c9e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7a9baa70c38d4c692d3d20f0731807262edb4e0544d8b3edb07de2772c9c2c9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/pages/_layout.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 143665, "scanner": "repobility-agent-runtime", "fingerprint": "b9571de76982ea8dff290c577d4a8b7ad59cd198e509dd323e990cc72dc8bfef", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b9571de76982ea8dff290c577d4a8b7ad59cd198e509dd323e990cc72dc8bfef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 143664, "scanner": "repobility-agent-runtime", "fingerprint": "8d0af3bd84f638ffd1b0d5a5d5ee51e7d36acd0ac97f378ddb4d1000ad117a6a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|8d0af3bd84f638ffd1b0d5a5d5ee51e7d36acd0ac97f378ddb4d1000ad117a6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/lib/ui.ts"}, "region": {"startLine": 322}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 143663, "scanner": "repobility-agent-runtime", "fingerprint": "edab172d67b9a83c5d195474f3f1aa59d65ee774ff92ba4be9089fad8f3f2d21", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|edab172d67b9a83c5d195474f3f1aa59d65ee774ff92ba4be9089fad8f3f2d21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/AGENT.md"}, "region": {"startLine": 216}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 143662, "scanner": "repobility-dependency-currency", "fingerprint": "9d59cd7f002eb2c833db86280befa0232b4d2a18121c0c1454ebb08692caee7b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|9d59cd7f002eb2c833db86280befa0232b4d2a18121c0c1454ebb08692caee7b", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)"}, "properties": {"repobilityId": 143661, "scanner": "repobility-dependency-currency", "fingerprint": "e90c961e6b93cb334f3a13f5fa04d750998f9cff32ee2424f373be95668476fb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "pnpm/action-setup", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.8", "correlation_key": "fp|e90c961e6b93cb334f3a13f5fa04d750998f9cff32ee2424f373be95668476fb", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 143660, "scanner": "repobility-dependency-currency", "fingerprint": "c9f2680152e9ac9dda0c1baa72e2ef904b0f8ce105419c27a9447c450e6670d6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|c9f2680152e9ac9dda0c1baa72e2ef904b0f8ce105419c27a9447c450e6670d6", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 143659, "scanner": "repobility-dependency-currency", "fingerprint": "b8d85681daac818e348601f49c7b6b7ac8c1cb0fed6b55e33fd4ce5b3865099d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|b8d85681daac818e348601f49c7b6b7ac8c1cb0fed6b55e33fd4ce5b3865099d", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)"}, "properties": {"repobilityId": 143658, "scanner": "repobility-dependency-currency", "fingerprint": "d6ab372ac75503e7a3eea5371efe5ebca2c6a675d756bcfd3103a3915aeabeda", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "pnpm/action-setup", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.8", "correlation_key": "fp|d6ab372ac75503e7a3eea5371efe5ebca2c6a675d756bcfd3103a3915aeabeda", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 143657, "scanner": "repobility-dependency-currency", "fingerprint": "9bbf94fbe2a8772d1055119db1db31233dc0591200c354de663f1633e562ee59", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|9bbf94fbe2a8772d1055119db1db31233dc0591200c354de663f1633e562ee59", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@biomejs/biome` is 1 major version(s) behind (^1.9.4 -> 2.4.16)"}, "properties": {"repobilityId": 143654, "scanner": "repobility-dependency-currency", "fingerprint": "e69c685a8a382f1d53a391c89f6b7c6153762d40aa0fc59f249f152b8db39272", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@biomejs/biome", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.16", "correlation_key": "fp|e69c685a8a382f1d53a391c89f6b7c6153762d40aa0fc59f249f152b8db39272", "current_version": "^1.9.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143622, "scanner": "repobility-ast-engine", "fingerprint": "de40c468810732e70c52822f042b6e45dfb76c38d70066dfa7e1d514feac2607", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de40c468810732e70c52822f042b6e45dfb76c38d70066dfa7e1d514feac2607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143621, "scanner": "repobility-ast-engine", "fingerprint": "6f31768e40382f69613cd12b924b28d04c4f1667e3363c7cac8588ec1892cad8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f31768e40382f69613cd12b924b28d04c4f1667e3363c7cac8588ec1892cad8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143620, "scanner": "repobility-ast-engine", "fingerprint": "553dff1997908856700203d6d61bb1d630487006844e28f6b29b1415ff7be0ef", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|553dff1997908856700203d6d61bb1d630487006844e28f6b29b1415ff7be0ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run_openai.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143619, "scanner": "repobility-ast-engine", "fingerprint": "c7123bc86c5e7da17581bae1f975aaff59924a2a472e7783d542d8c0cd445290", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7123bc86c5e7da17581bae1f975aaff59924a2a472e7783d542d8c0cd445290"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run_openai.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143618, "scanner": "repobility-ast-engine", "fingerprint": "5cde8ccc0454bcbecf690863c4d6dd8532f2d620763a320c528af4c5b5981d89", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cde8ccc0454bcbecf690863c4d6dd8532f2d620763a320c528af4c5b5981d89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run_openai.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 143617, "scanner": "repobility-ast-engine", "fingerprint": "bd1fcac1bec64c52b8aef9492e1aa1621b586cc0d1c936c6547a89d3b839bee1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bd1fcac1bec64c52b8aef9492e1aa1621b586cc0d1c936c6547a89d3b839bee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run_openai.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@cloudflare/workers-types` is minor version(s) behind (4.20260518.1 -> 4.20260605.1)"}, "properties": {"repobilityId": 143656, "scanner": "repobility-dependency-currency", "fingerprint": "18fabe889f8318e1efbc899ba8d7ac33d0f7b9acf29994dec7f1a0a2814840e8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@cloudflare/workers-types", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.20260605.1", "correlation_key": "fp|18fabe889f8318e1efbc899ba8d7ac33d0f7b9acf29994dec7f1a0a2814840e8", "current_version": "4.20260518.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/chrome` is minor version(s) behind (0.0.287 -> 0.1.43)"}, "properties": {"repobilityId": 143655, "scanner": "repobility-dependency-currency", "fingerprint": "cac24bc41a8ea3512dbb13eac003dae49029b4378bd08afd20f1f1bdabb5e532", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/chrome", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.1.43", "correlation_key": "fp|cac24bc41a8ea3512dbb13eac003dae49029b4378bd08afd20f1f1bdabb5e532", "current_version": "0.0.287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9827ced060ba66fba8895894f7eeff1b7aeb80cae92ce8b4f4931c3f8abc732b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/agent-runner/run.py", "duplicate_line": 33, "correlation_key": "fp|9827ced060ba66fba8895894f7eeff1b7aeb80cae92ce8b4f4931c3f8abc732b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/agent-runner/run_openai.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143615, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c8329c665fff813c31dcebe6735dc065d9ed594d12752cc2c53d4e66983f96b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extension/entrypoints/x-graphql-main.content.ts", "duplicate_line": 2, "correlation_key": "fp|2c8329c665fff813c31dcebe6735dc065d9ed594d12752cc2c53d4e66983f96b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/lib/graphql-users.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 143678, "scanner": "repobility-threat-engine", "fingerprint": "01fe49fe326e14d8aaa0e3f3301887a55ecff3bbdc16d1cd91ce9564e919c031", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01fe49fe326e14d8aaa0e3f3301887a55ecff3bbdc16d1cd91ce9564e919c031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 143677, "scanner": "repobility-threat-engine", "fingerprint": "d5897992185619d98ef2bbc1728e6dfe35817d9b4290411f06065259842c21e9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`tokens      : ${usage.total_tokens}`)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli.ts|3|console.log tokens : usage.total_tokens"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 143676, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143675, "scanner": "repobility-threat-engine", "fingerprint": "f3fc8a1f15238d8b5e4bc19a48ae2bbb3e6e679191d8f35b68e2deaabccf0441", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3fc8a1f15238d8b5e4bc19a48ae2bbb3e6e679191d8f35b68e2deaabccf0441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-public-list.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143674, "scanner": "repobility-threat-engine", "fingerprint": "eecf7fd5f0eb5bfefabffa51f63836646c7e96f56c59147799d8a6466ed9dcf9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eecf7fd5f0eb5bfefabffa51f63836646c7e96f56c59147799d8a6466ed9dcf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/compile-blacklist.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143673, "scanner": "repobility-threat-engine", "fingerprint": "87e75a93a05a7d372bf12552fba65c936508046931d90207a0b46b6b63365d64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87e75a93a05a7d372bf12552fba65c936508046931d90207a0b46b6b63365d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cdp-check.mjs"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 143670, "scanner": "repobility-threat-engine", "fingerprint": "936c292d95fdd0dd4f740fc8d2e9b855e64e6a69db2a896f6cad0ec460a27563", "category": "ssrf", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0' detected on same line", "evidence": {"match": "URL(r", "reason": "Safe pattern 'localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0' detected on same line", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|936c292d95fdd0dd4f740fc8d2e9b855e64e6a69db2a896f6cad0ec460a27563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 143682, "scanner": "osv-scanner", "fingerprint": "522fe8494b6cb27bdee8f6a2e1de1edff96c3bea009dc4b10c5552142724538a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|extension/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 143680, "scanner": "repobility-threat-engine", "fingerprint": "c7e84e05f6133181546396c412906c6d90323bb87d2045ff16c83f6e3c919293", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"access-control-allow-origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7e84e05f6133181546396c412906c6d90323bb87d2045ff16c83f6e3c919293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143679, "scanner": "repobility-threat-engine", "fingerprint": "3201f4af888446d0ee41aeaf8707e76468e0e128151362d8873ef61c3c3535a0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t, i) => `  ${i + 1}. ${t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3201f4af888446d0ee41aeaf8707e76468e0e128151362d8873ef61c3c3535a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llm.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 143672, "scanner": "repobility-threat-engine", "fingerprint": "dc84ddebd52cee44a0b331797b9385d3c95b292939ee0ee72d19f58ba7691686", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pending.delete(msg.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc84ddebd52cee44a0b331797b9385d3c95b292939ee0ee72d19f58ba7691686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cdp-check.mjs"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 143669, "scanner": "repobility-threat-engine", "fingerprint": "ba23ff323cebc3d3034abb5beec01d1fa2f86ce5905ad410278c5fa27bdaddca", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba23ff323cebc3d3034abb5beec01d1fa2f86ce5905ad410278c5fa27bdaddca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/entrypoints/x-graphql-main.content.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143653, "scanner": "repobility-supply-chain", "fingerprint": "186077898b2104d6c9814b8cd3b310e1cfc8c529d269448d3bab32e43d8b50c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|186077898b2104d6c9814b8cd3b310e1cfc8c529d269448d3bab32e43d8b50c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143652, "scanner": "repobility-supply-chain", "fingerprint": "f855b6130411b363c38e2133121350f42413478b316f08165dfe4d123078cac1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f855b6130411b363c38e2133121350f42413478b316f08165dfe4d123078cac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143651, "scanner": "repobility-supply-chain", "fingerprint": "368e3d0751ff5120b9a92e9d6000bf37e00983f4334d6a20254ffe20255c8382", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|368e3d0751ff5120b9a92e9d6000bf37e00983f4334d6a20254ffe20255c8382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143650, "scanner": "repobility-supply-chain", "fingerprint": "0f79de66031f3673a4e0cc722e89b69c2e7f4ef443f09fcf81c74e37911ed624", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f79de66031f3673a4e0cc722e89b69c2e7f4ef443f09fcf81c74e37911ed624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143649, "scanner": "repobility-supply-chain", "fingerprint": "69aba2c4b1b6ca87258db6623b6ec2c948cdf90d0ca3ae32d1b6024206adedea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69aba2c4b1b6ca87258db6623b6ec2c948cdf90d0ca3ae32d1b6024206adedea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143648, "scanner": "repobility-supply-chain", "fingerprint": "99d335bf5df5963ea5b8d64843632ce5774cbda9e862d61ada2f689caa18ffc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99d335bf5df5963ea5b8d64843632ce5774cbda9e862d61ada2f689caa18ffc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143647, "scanner": "repobility-supply-chain", "fingerprint": "e4a64764635909eeb29322481c5d90014e9fc5f86625c96327826fbab73bc5ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4a64764635909eeb29322481c5d90014e9fc5f86625c96327826fbab73bc5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143646, "scanner": "repobility-supply-chain", "fingerprint": "3d0dc4045895807846d1f168b249c8d849f71592960a5aa7235545a8b4b48de8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d0dc4045895807846d1f168b249c8d849f71592960a5aa7235545a8b4b48de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143645, "scanner": "repobility-supply-chain", "fingerprint": "174fc5d8d61f1f023de60dd6d62ea843a0499d4a476fe8159c9743c364291ca1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|174fc5d8d61f1f023de60dd6d62ea843a0499d4a476fe8159c9743c364291ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 143644, "scanner": "repobility-supply-chain", "fingerprint": "f09322a944bea2912c706368c01eacdc8c20d81c68e5aca42da02284383fab63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f09322a944bea2912c706368c01eacdc8c20d81c68e5aca42da02284383fab63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-public-list.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /v1/agent/decide has no auth"}, "properties": {"repobilityId": 143640, "scanner": "repobility-route-auth", "fingerprint": "945a745318bef5e260500edd33eea4722ece61cb0eb529cd320a1f6d37a786c6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|945a745318bef5e260500edd33eea4722ece61cb0eb529cd320a1f6d37a786c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 2770}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /v1/appeal has no auth"}, "properties": {"repobilityId": 143626, "scanner": "repobility-route-auth", "fingerprint": "3e88ce539cd3cd1525bee719935cab527f33ac1bfe465d108d23434af769e0ef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3e88ce539cd3cd1525bee719935cab527f33ac1bfe465d108d23434af769e0ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1103}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /v1/report has no auth"}, "properties": {"repobilityId": 143625, "scanner": "repobility-route-auth", "fingerprint": "f7fda891dd6a5bb576bf1410cd9542f3dd30cdb74e415cfb3be544a69477098b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f7fda891dd6a5bb576bf1410cd9542f3dd30cdb74e415cfb3be544a69477098b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1095}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /v1/confirm has no auth"}, "properties": {"repobilityId": 143624, "scanner": "repobility-route-auth", "fingerprint": "f099ef8ec76d6d86dc485266316ca18e39e009ca0c4aa7b06520e745dca79865", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f099ef8ec76d6d86dc485266316ca18e39e009ca0c4aa7b06520e745dca79865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1094}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /v1/classify has no auth"}, "properties": {"repobilityId": 143623, "scanner": "repobility-route-auth", "fingerprint": "737d90b8350d2c892fa7a9b4608f4714d4bcb6cd12442b50c9f1863ae4352a56", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|737d90b8350d2c892fa7a9b4608f4714d4bcb6cd12442b50c9f1863ae4352a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 845}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 143681, "scanner": "gitleaks", "fingerprint": "f3c427acaea995e2d4e1dda22b5bd7030529dbbbd78c8b3b7606fba44cd30075", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "viewkey=REDACTED\\n", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|data/blacklist/v1.json|28158|viewkey redacted n"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data/blacklist/v1.json"}, "region": {"startLine": 281586}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/sync-mirror"}, "properties": {"repobilityId": 143643, "scanner": "repobility-route-auth", "fingerprint": "d9d82c0b35ff824619d0e578312abacf420337158e57221072952902f8945e32", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|d9d82c0b35ff824619d0e578312abacf420337158e57221072952902f8945e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 3106}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/agent-promote-batch"}, "properties": {"repobilityId": 143642, "scanner": "repobility-route-auth", "fingerprint": "aac36d7bd4a7e7fdbdba997a7242156b8c85b8b5e81c6a9f50757fff225bce7e", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|aac36d7bd4a7e7fdbdba997a7242156b8c85b8b5e81c6a9f50757fff225bce7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 3064}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/agent-promote"}, "properties": {"repobilityId": 143641, "scanner": "repobility-route-auth", "fingerprint": "e301ea577816ed4614848c1e2bad5e790f32c2a4de19b5630a10b1ac951809ff", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|e301ea577816ed4614848c1e2bad5e790f32c2a4de19b5630a10b1ac951809ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 3025}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/whitelist"}, "properties": {"repobilityId": 143639, "scanner": "repobility-route-auth", "fingerprint": "01bea60be95c8e453b75918bb32a4f7b7405c14b90321bd6d904108972fecbb2", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|01bea60be95c8e453b75918bb32a4f7b7405c14b90321bd6d904108972fecbb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 2082}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/whitelist"}, "properties": {"repobilityId": 143638, "scanner": "repobility-route-auth", "fingerprint": "1c6cd231589abe3180f38009dc1bbfea65daed8143b789c551f315aee9550054", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|1c6cd231589abe3180f38009dc1bbfea65daed8143b789c551f315aee9550054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 2047}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/keyword-rules/apply-to-queue"}, "properties": {"repobilityId": 143637, "scanner": "repobility-route-auth", "fingerprint": "7b0640fc04bca925ad5cd93ce60e03a85d290755858cc1fa1c61886847a836ee", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7b0640fc04bca925ad5cd93ce60e03a85d290755858cc1fa1c61886847a836ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1899}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/keyword-rules/preview"}, "properties": {"repobilityId": 143636, "scanner": "repobility-route-auth", "fingerprint": "ce31cec0fe1957ea17a37cea20bf39d8585a4dbefacca67520183c339a42306d", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|ce31cec0fe1957ea17a37cea20bf39d8585a4dbefacca67520183c339a42306d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1860}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/keyword-rules/:id"}, "properties": {"repobilityId": 143635, "scanner": "repobility-route-auth", "fingerprint": "a96e1a48853af8a7ec960d3240e44b1771fb1c7da6a64608d52a42f9c8069f5c", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|a96e1a48853af8a7ec960d3240e44b1771fb1c7da6a64608d52a42f9c8069f5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1848}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PATCH /v1/admin/keyword-rules/:id"}, "properties": {"repobilityId": 143634, "scanner": "repobility-route-auth", "fingerprint": "3c8fd99ddfea493982305f92462b9b3e9ab7d5a22628c6aa19f350872152391d", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|3c8fd99ddfea493982305f92462b9b3e9ab7d5a22628c6aa19f350872152391d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1821}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/keyword-rules"}, "properties": {"repobilityId": 143633, "scanner": "repobility-route-auth", "fingerprint": "5212a2d1e3761969e339d2d25299020f6b5a646c248e83de64464e0fc4238d95", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|5212a2d1e3761969e339d2d25299020f6b5a646c248e83de64464e0fc4238d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1800}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/whitelist-batch"}, "properties": {"repobilityId": 143632, "scanner": "repobility-route-auth", "fingerprint": "4d68136a4a18fac8b52293225d90752376ab6c68a8e2180fb50f9f7d5e232316", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|4d68136a4a18fac8b52293225d90752376ab6c68a8e2180fb50f9f7d5e232316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1718}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/decide-batch"}, "properties": {"repobilityId": 143631, "scanner": "repobility-route-auth", "fingerprint": "ccdf47b2f2f2031d58e99f036c7025f28874e797c151ddf9919de9ee958077d1", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|ccdf47b2f2f2031d58e99f036c7025f28874e797c151ddf9919de9ee958077d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1681}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/decide"}, "properties": {"repobilityId": 143630, "scanner": "repobility-route-auth", "fingerprint": "7f4dc3a163d055cde50f782e42212fd3b8c30793953251009548d708db7d42b2", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7f4dc3a163d055cde50f782e42212fd3b8c30793953251009548d708db7d42b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1643}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/reporter-fingerprints/backfill"}, "properties": {"repobilityId": 143629, "scanner": "repobility-route-auth", "fingerprint": "84b7d0b7146f494c5788ba5bf4d04231a644a3613041d7a9394fca6defbf2c6d", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|84b7d0b7146f494c5788ba5bf4d04231a644a3613041d7a9394fca6defbf2c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1200}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/reporter-bans/:id"}, "properties": {"repobilityId": 143628, "scanner": "repobility-route-auth", "fingerprint": "378ce6c9d50c03973038cd3559c0e9f2e6cbfb06e3978726a3329dd414d1fc0a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|378ce6c9d50c03973038cd3559c0e9f2e6cbfb06e3978726a3329dd414d1fc0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1192}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/reporter-bans"}, "properties": {"repobilityId": 143627, "scanner": "repobility-route-auth", "fingerprint": "61e2bdba5b018a4c2e6eab6700bab8ff4e8dc0d4c89dc19a7b63ecf6d1455942", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|61e2bdba5b018a4c2e6eab6700bab8ff4e8dc0d4c89dc19a7b63ecf6d1455942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/edge/src/index.ts"}, "region": {"startLine": 1172}}}]}]}]}