{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "Replace full-site blocking with specific private path disallows, or add explicit Allow rules for public docs and landing pages."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `busybox` image has no explicit tag", "shortDescription": {"text": "Compose service `busybox` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC094", "name": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Port", "shortDescription": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "fullDescription": {"text": "Use 0600 for files, 0700 for dirs that should be private."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. Th", "shortDescription": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images sh"}, "fullDescription": {"text": "Replace with: `FROM alpine:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_requ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_WEBHOOK_URL }` lets a PR from any fork exfiltrat"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1225"}, "properties": {"repository": "GoMudEngine/GoMud", "repoUrl": "https://github.com/GoMudEngine/GoMud", "branch": "master"}, "results": [{"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 123570, "scanner": "repobility-web-presence", "fingerprint": "d1ac48c5b383d616e379b7f3bb4978ec1ba1fc398763bb1e147e090fc34dcb5a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|d1ac48c5b383d616e379b7f3bb4978ec1ba1fc398763bb1e147e090fc34dcb5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `busybox` image has no explicit tag"}, "properties": {"repobilityId": 123567, "scanner": "repobility-docker", "fingerprint": "da239d9261392e4922b323e1608214f686e23850b719db3b697a011937600100", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|da239d9261392e4922b323e1608214f686e23850b719db3b697a011937600100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 123564, "scanner": "repobility-docker", "fingerprint": "23efd446c56b56925e10fa337e560ada68de95db98153deb2270cfd747a57100", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|23efd446c56b56925e10fa337e560ada68de95db98153deb2270cfd747a57100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/terminal/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 123563, "scanner": "repobility-docker", "fingerprint": "ad9545ff6977f70c00fae5bc0270236cc82c1d77405fb292b54df63c781f67b0", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ad9545ff6977f70c00fae5bc0270236cc82c1d77405fb292b54df63c781f67b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 123562, "scanner": "repobility-docker", "fingerprint": "34e80dcb98b4972d34b6b0a2759438590c107d25d651f89396132ebe7ad80b59", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|34e80dcb98b4972d34b6b0a2759438590c107d25d651f89396132ebe7ad80b59", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 123558, "scanner": "repobility-agent-runtime", "fingerprint": "d2148a764606e36772c0c693e94f39c00ba432943ed0c4124143f81ba22eb9f2", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|d2148a764606e36772c0c693e94f39c00ba432943ed0c4124143f81ba22eb9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-map.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 123557, "scanner": "repobility-agent-runtime", "fingerprint": "6c55987212a94a44a4e7fc5ba6242346fec90c92bbc840034befa42018785135", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6c55987212a94a44a4e7fc5ba6242346fec90c92bbc840034befa42018785135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/webclient-core.js"}, "region": {"startLine": 585}}}]}, {"ruleId": "SEC094", "level": "warning", "message": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "properties": {"repobilityId": 123523, "scanner": "repobility-threat-engine", "fingerprint": "806530acf33ebdab0c9ce75614428018246693aaa1c56e574b3fdd09fd5546e2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.WriteFile(saveFilePath, bytes, 0777", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC094", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|806530acf33ebdab0c9ce75614428018246693aaa1c56e574b3fdd09fd5546e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/fileloader/fileloader.go"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 123505, "scanner": "repobility-threat-engine", "fingerprint": "1673cf830630d447c2735b34020e8029cd139ffb93d85f22239cbbf70c8660db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive(\"patrolling\", false);\n    }\n\n    var random = Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1673cf830630d447c2735b34020e8029cd139ffb93d85f22239cbbf70c8660db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/mobs/frostfang/scripts/2-guard.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 123503, "scanner": "repobility-threat-engine", "fingerprint": "1cfd3a3a487f28d768853a3d5e9ece625faabf914c558a95276bfdc9cb00f55b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cfd3a3a487f28d768853a3d5e9ece625faabf914c558a95276bfdc9cb00f55b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/triggers.js"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 123501, "scanner": "repobility-threat-engine", "fingerprint": "69020711a5c07eb239b0b19fe6c6f5efd8a50551c660905a141f5b8fb920b448", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|193|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/triggers.js"}, "region": {"startLine": 193}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 123487, "scanner": "repobility-threat-engine", "fingerprint": "42aaea834605ca7ae72964f9f4de253dfc94e8845bc03d3305a57042164bd7f6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42aaea834605ca7ae72964f9f4de253dfc94e8845bc03d3305a57042164bd7f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/api.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 123569, "scanner": "repobility-web-presence", "fingerprint": "7526c03abbde7de3154bd021a330cecb1e125210ac20f9e95776b64f1c0ea8cb", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|7526c03abbde7de3154bd021a330cecb1e125210ac20f9e95776b64f1c0ea8cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 123568, "scanner": "repobility-docker", "fingerprint": "591f6e56695f3ac8de6e03ebd12967733377f7037e07557298114ab48b80cb97", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "terminal", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|591f6e56695f3ac8de6e03ebd12967733377f7037e07557298114ab48b80cb97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 123566, "scanner": "repobility-docker", "fingerprint": "47ad8ce9442b89147f367e5519d35c9599bec70f01016294f7329f21042c513c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|47ad8ce9442b89147f367e5519d35c9599bec70f01016294f7329f21042c513c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 123560, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8ae1b8e097d440f66230fd2ec44c1dfdd04de3d9b244812688f2db15a986858", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/903.js", "duplicate_line": 1, "correlation_key": "fp|f8ae1b8e097d440f66230fd2ec44c1dfdd04de3d9b244812688f2db15a986858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/903.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "899b2f7bf882dc8277e12f7bc9a8c440dca6ed17459b88e39da763bf5c6419aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 82, "correlation_key": "fp|899b2f7bf882dc8277e12f7bc9a8c440dca6ed17459b88e39da763bf5c6419aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/902.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a047a97208955322986ab1d5877c4b301229a31505575397a4a485637f5ec52b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/901.js", "duplicate_line": 8, "correlation_key": "fp|a047a97208955322986ab1d5877c4b301229a31505575397a4a485637f5ec52b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/902.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123553, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6937925f58c0670ec78204ca8fdc7ed36595803d7ec9a3b11e4628e669ebe8d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/902.js", "duplicate_line": 1, "correlation_key": "fp|6937925f58c0670ec78204ca8fdc7ed36595803d7ec9a3b11e4628e669ebe8d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/902.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123552, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4160725b59f1ae2f8555870d918f198dfadcd2ef14493d9c37aaac1bb332a10f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 82, "correlation_key": "fp|4160725b59f1ae2f8555870d918f198dfadcd2ef14493d9c37aaac1bb332a10f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/901.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4b8acac8cc9228877133fdc5fbd2b29d442cfaf63a3ecd6cf3d868c5fadeb0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/901.js", "duplicate_line": 1, "correlation_key": "fp|e4b8acac8cc9228877133fdc5fbd2b29d442cfaf63a3ecd6cf3d868c5fadeb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/901.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e7978311956567978b1203438cbb8b198b5df47154f6da48dde24d3aeef747a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 1, "correlation_key": "fp|4e7978311956567978b1203438cbb8b198b5df47154f6da48dde24d3aeef747a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/rooms/tutorial/900.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "722008774717bfec7d649d102ed1a5ab98317b1cff544ccb26f42e9f759ea3a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/buffs/24-death_recovery.js", "duplicate_line": 1, "correlation_key": "fp|722008774717bfec7d649d102ed1a5ab98317b1cff544ccb26f42e9f759ea3a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/empty/buffs/24-death_recovery.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d01530d91e812ae5b7f8ea92858bd88559dfaec47b787f72635d40a36162338", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/harmarea.js", "duplicate_line": 4, "correlation_key": "fp|2d01530d91e812ae5b7f8ea92858bd88559dfaec47b787f72635d40a36162338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/spells/sparks.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123547, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ece57b8ae17d82e514992bbd45d2dd5c7f30231b11d28df2fadca803fe1e51b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/neutral.js", "duplicate_line": 1, "correlation_key": "fp|ece57b8ae17d82e514992bbd45d2dd5c7f30231b11d28df2fadca803fe1e51b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/spells/illum.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0651aba58406128457ba3aa2b816f135fb75e9261417d5cdc8d907a7664c4ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/helparea.js", "duplicate_line": 7, "correlation_key": "fp|f0651aba58406128457ba3aa2b816f135fb75e9261417d5cdc8d907a7664c4ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/spells/healall.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123545, "scanner": "repobility-ai-code-hygiene", "fingerprint": "021dc9d79b8fb857b46de73f5b1a1a16e9ff5e99e54970fb0695a1d1da3dd744", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/harmarea.js", "duplicate_line": 4, "correlation_key": "fp|021dc9d79b8fb857b46de73f5b1a1a16e9ff5e99e54970fb0695a1d1da3dd744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/spells/healall.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123544, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72f0d33cf3f456f0b02072fdefdbee6d5841e15b094e927ec13b482e4a9c9f3e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/helpsingle.js", "duplicate_line": 4, "correlation_key": "fp|72f0d33cf3f456f0b02072fdefdbee6d5841e15b094e927ec13b482e4a9c9f3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/spells/heal.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123543, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b42309119ed41a3cf9114932be711f1ab534f9f61b306bc8ac27911d6db36aaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 82, "correlation_key": "fp|b42309119ed41a3cf9114932be711f1ab534f9f61b306bc8ac27911d6db36aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/tutorial/903.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123542, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3013b642ca8e92df85cbaeba8bc948afb7d6b89b99604dcd2a809eeb3f6b8804", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/901.js", "duplicate_line": 78, "correlation_key": "fp|3013b642ca8e92df85cbaeba8bc948afb7d6b89b99604dcd2a809eeb3f6b8804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/tutorial/903.js"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123541, "scanner": "repobility-ai-code-hygiene", "fingerprint": "150cd3d697b4dd371eabf7b644c6d97caf050ac97f7cab0cc4080f6bcf13da20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 82, "correlation_key": "fp|150cd3d697b4dd371eabf7b644c6d97caf050ac97f7cab0cc4080f6bcf13da20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/tutorial/902.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64f3e9743920b85cae7483c063295370b57ece5c2ab912db06befb53178212fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/901.js", "duplicate_line": 8, "correlation_key": "fp|64f3e9743920b85cae7483c063295370b57ece5c2ab912db06befb53178212fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/tutorial/902.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "820a1efc9a091927b8d80d59d4c27d9ff3f60e8f2963532911be7cf7c6a7a720", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/tutorial/900.js", "duplicate_line": 82, "correlation_key": "fp|820a1efc9a091927b8d80d59d4c27d9ff3f60e8f2963532911be7cf7c6a7a720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/tutorial/901.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f023c9672055fde2241540853c7c9c6bccef4743b52e6a47b7c955b05a335c5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/rooms/dark_forest/565.js", "duplicate_line": 3, "correlation_key": "fp|f023c9672055fde2241540853c7c9c6bccef4743b52e6a47b7c955b05a335c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/rooms/dark_forest/568.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "611d6cf9b91413db63209b7d8a0a945a115f9d539960ee4748a230b05520b795", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/world/default/mobs/frostfang/scripts/39-elara.js", "duplicate_line": 16, "correlation_key": "fp|611d6cf9b91413db63209b7d8a0a945a115f9d539960ee4748a230b05520b795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/world/default/mobs/whispering_wastes/scripts/27-hermit-winterfire.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe8fad533ca8cfc5adfe28aa5ecd18054e34f77bae7509775a0e14ff9dc7b996", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/helparea.js", "duplicate_line": 7, "correlation_key": "fp|fe8fad533ca8cfc5adfe28aa5ecd18054e34f77bae7509775a0e14ff9dc7b996"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/helpmulti.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1c9d18899dd50a3ea7e5f55b04ae3c8f274fbab33d8ad495711d6927afdf116", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/harmarea.js", "duplicate_line": 4, "correlation_key": "fp|d1c9d18899dd50a3ea7e5f55b04ae3c8f274fbab33d8ad495711d6927afdf116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/helpmulti.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "433f70c2e8d2a293cc24f42f35db961b0798af0d8caab470a2be30c2afe5c1b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/harmarea.js", "duplicate_line": 4, "correlation_key": "fp|433f70c2e8d2a293cc24f42f35db961b0798af0d8caab470a2be30c2afe5c1b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/helparea.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95979bff43a3b19bfe0f972a9a6a4dcba13761b017b0396de2e9ed4809b3a4ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/sample-scripts/spells/harmarea.js", "duplicate_line": 4, "correlation_key": "fp|95979bff43a3b19bfe0f972a9a6a4dcba13761b017b0396de2e9ed4809b3a4ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/harmmulti.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "baf70c3dbd330954bb32888fc1a4839b211b05ad39e568df770f4c51852c3d1a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-gear.js", "duplicate_line": 15, "correlation_key": "fp|baf70c3dbd330954bb32888fc1a4839b211b05ad39e568df770f4c51852c3d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-pet.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "affbb62ca0133bbd16d03fcd829d83200ab2ac31df7bc434bc743f51539d0ef3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-character.js", "duplicate_line": 3, "correlation_key": "fp|affbb62ca0133bbd16d03fcd829d83200ab2ac31df7bc434bc743f51539d0ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-pet.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71c865b2087919184ce5a7f8ec9810b0e7e4b36ebb8c9718a8f199d67314bdf4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-gear.js", "duplicate_line": 15, "correlation_key": "fp|71c865b2087919184ce5a7f8ec9810b0e7e4b36ebb8c9718a8f199d67314bdf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-killstats.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b266863d996b5d85c9303b37cf8814740f75c5366158aa2e2f3447deb559465", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-character.js", "duplicate_line": 1, "correlation_key": "fp|7b266863d996b5d85c9303b37cf8814740f75c5366158aa2e2f3447deb559465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-killstats.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b4a415fc42007f495f8112e45d90918a38a154a639d3290587f1ed539468ac9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-character.js", "duplicate_line": 1, "correlation_key": "fp|3b4a415fc42007f495f8112e45d90918a38a154a639d3290587f1ed539468ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-gear.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5495158c97741972b66ac37f9f34bbf561c94bb3a25ddf1be30c330948dc80c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "_datafiles/html/public/static/js/windows/window-character.js", "duplicate_line": 7, "correlation_key": "fp|a5495158c97741972b66ac37f9f34bbf561c94bb3a25ddf1be30c330948dc80c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-comm.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 123516, "scanner": "repobility-threat-engine", "fingerprint": "35c93dd3cea1829835b60fd5439de23c9014ef31b27d1a0db7b04ac2f7447aa9", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = strconv.ParseUint(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|35c93dd3cea1829835b60fd5439de23c9014ef31b27d1a0db7b04ac2f7447aa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/inputhandlers/systemcommands.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 123515, "scanner": "repobility-threat-engine", "fingerprint": "c81ad53f790ab8ae49a0990d428f35a6822ef3e36811f6e4c2e212aa4e1ee3c7", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c81ad53f790ab8ae49a0990d428f35a6822ef3e36811f6e4c2e212aa4e1ee3c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/conversations/admin.go"}, "region": {"startLine": 173}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 123514, "scanner": "repobility-threat-engine", "fingerprint": "810c21413a1f1fe69556c2650b57d794709da0df9557a4a3e96df5f634a32b96", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = filepath.WalkDir(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|810c21413a1f1fe69556c2650b57d794709da0df9557a4a3e96df5f634a32b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/audio/audio.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 123495, "scanner": "repobility-threat-engine", "fingerprint": "dbb462b8b4b53d6d3ef2553fa077ff0b3da9dd8a0dedac4442baf79fba80b163", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' stops chanting and unleashes a '+SPELL_DESCRIPTION+', hitting '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dbb462b8b4b53d6d3ef2553fa077ff0b3da9dd8a0dedac4442baf79fba80b163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/harmmulti.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 123494, "scanner": "repobility-threat-engine", "fingerprint": "8590cec8d646cea8789f2428f37b422928ca1cf662e01d530b3e18b286f7183d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' stops chanting and unleashes a '+SPELL_DESCRIPTION+', hitting '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8590cec8d646cea8789f2428f37b422928ca1cf662e01d530b3e18b286f7183d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/sample-scripts/spells/harmarea.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 123493, "scanner": "repobility-threat-engine", "fingerprint": "3b64f6dba1def93b29badf70ba58b9165341239362e206de0807c53b7c84140c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'; expires=' + expires + '; path=/; SameSite=Lax'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b64f6dba1def93b29badf70ba58b9165341239362e206de0807c53b7c84140c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/theme-switcher.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 123490, "scanner": "repobility-threat-engine", "fingerprint": "0991b4187eb3af686e502224fd9c5ad064add0c62a33833cbb979cc153450b53", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML =\n            '<span class=\"text-name ' + fromSource + '\">' + f", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|227|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/windows/window-comm.js"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 123489, "scanner": "repobility-threat-engine", "fingerprint": "770debbe931656fe3d20299e124cbf94b1e1d856a4cde93836771de18b545937", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|112|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/select-dialog.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 123488, "scanner": "repobility-threat-engine", "fingerprint": "e473cbb7745f6206b1e39d88266401470aba0bf673cbb8b2a14c86a726ab9598", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|69|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/mapper/mapper-ctx-menu.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `server` image is selected through a build variable"}, "properties": {"repobilityId": 123565, "scanner": "repobility-docker", "fingerprint": "793520a497ee42f3c7f6cf35d146b25ef2e58771b2071f0af0da341c1c3e169d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "localhost/go-mud-server:${TAG:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|793520a497ee42f3c7f6cf35d146b25ef2e58771b2071f0af0da341c1c3e169d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 123561, "scanner": "repobility-docker", "fingerprint": "ca3e66dfb88f4b77f79d10e7956e940b651098b533edc3ba508aca34ba5d4854", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ca3e66dfb88f4b77f79d10e7956e940b651098b533edc3ba508aca34ba5d4854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 123525, "scanner": "repobility-threat-engine", "fingerprint": "8066f63d1d3baddcab5dbd18a9ffc0261b8938430a34fd43e3c0c6f15c9097bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8066f63d1d3baddcab5dbd18a9ffc0261b8938430a34fd43e3c0c6f15c9097bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/term/telnet.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 123524, "scanner": "repobility-threat-engine", "fingerprint": "08b47c475859e6c370e3d6c02533602288560389e9d76135dd1fbf3b340586d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08b47c475859e6c370e3d6c02533602288560389e9d76135dd1fbf3b340586d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/mudlog/mudlog.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 123521, "scanner": "repobility-threat-engine", "fingerprint": "988f5eb93abd250acafc74d1384ac7b774c62f3677f848e26babb05aa408c146", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|988f5eb93abd250acafc74d1384ac7b774c62f3677f848e26babb05aa408c146", "aggregated_count": 4}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 123517, "scanner": "repobility-threat-engine", "fingerprint": "961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 123513, "scanner": "repobility-threat-engine", "fingerprint": "1973f3d1afc5767a8ea0f3c424f96099b15a3a0f79f86c59045ae57fdde455b5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1973f3d1afc5767a8ea0f3c424f96099b15a3a0f79f86c59045ae57fdde455b5", "aggregated_count": 14}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 123512, "scanner": "repobility-threat-engine", "fingerprint": "6617e4a2b83fdc87f3e3a3db403a67de5189ab4d0105dc3a9321667696918bb7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6617e4a2b83fdc87f3e3a3db403a67de5189ab4d0105dc3a9321667696918bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/colorpatterns/colorpatterns.go"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 123511, "scanner": "repobility-threat-engine", "fingerprint": "7122197c975ba7c3f39c4046c36a23fd5a23794a3fb9787cdba78a1008c60755", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7122197c975ba7c3f39c4046c36a23fd5a23794a3fb9787cdba78a1008c60755"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/buffs/buffspec.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 123510, "scanner": "repobility-threat-engine", "fingerprint": "fd9f4ecc92142e51e97db373c72afaba8ebe0202935f502d0fa7c131904be06e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd9f4ecc92142e51e97db373c72afaba8ebe0202935f502d0fa7c131904be06e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/audio/audio.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 123509, "scanner": "repobility-threat-engine", "fingerprint": "ba03e8ba8898d35cc1680250b3a7ac027d321c92875d279fc73324412e8b9062", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba03e8ba8898d35cc1680250b3a7ac027d321c92875d279fc73324412e8b9062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/reset-admin-pw/main.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 123500, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 123496, "scanner": "repobility-threat-engine", "fingerprint": "66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 123491, "scanner": "repobility-threat-engine", "fingerprint": "0ec1a985434354ca2002c8bdff9452dae49826fa5ad2907c3ce8a4e937d74bbd", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0ec1a985434354ca2002c8bdff9452dae49826fa5ad2907c3ce8a4e937d74bbd"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 123486, "scanner": "repobility-threat-engine", "fingerprint": "352733a8265469346341707626bcd9c02f9562b97d3e68ca20dd7da47f9539b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|352733a8265469346341707626bcd9c02f9562b97d3e68ca20dd7da47f9539b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/triggers.js"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 123485, "scanner": "repobility-threat-engine", "fingerprint": "648578b648a745a5fa6086c91226fbefad0d5baf4d9db2911f0de0cc29cdba03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|648578b648a745a5fa6086c91226fbefad0d5baf4d9db2911f0de0cc29cdba03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/mp3.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 123484, "scanner": "repobility-threat-engine", "fingerprint": "c33bda79eee2962e7109c83b612b45a5730d238c7a83ab33ae0f8b2704b7c8d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c33bda79eee2962e7109c83b612b45a5730d238c7a83ab33ae0f8b2704b7c8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/api.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 123573, "scanner": "repobility-supply-chain", "fingerprint": "b1c11f64ae3a39cbbbd0ee27ed4b2ab9d690334978e436462c6b162d28eeda9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1c11f64ae3a39cbbbd0ee27ed4b2ab9d690334978e436462c6b162d28eeda9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/terminal/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 123572, "scanner": "repobility-supply-chain", "fingerprint": "ac23a44bf56215f216e4aa10b9b95540acaf79cc4117963077e24dd711d559c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac23a44bf56215f216e4aa10b9b95540acaf79cc4117963077e24dd711d559c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "provisioning/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.25` not pinned by digest: `FROM golang:1.25` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 123571, "scanner": "repobility-supply-chain", "fingerprint": "235e0ae67855152911985257e03c6bbc1d6dffe6cbea58eefac3aebad4c1c3ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|235e0ae67855152911985257e03c6bbc1d6dffe6cbea58eefac3aebad4c1c3ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile.act"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 123559, "scanner": "repobility-docker", "fingerprint": "e1b73dbad12f36a42f20c6fc2cd6e238ece523a931b811b780590aa094110c69", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e1b73dbad12f36a42f20c6fc2cd6e238ece523a931b811b780590aa094110c69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile.act"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 123522, "scanner": "repobility-threat-engine", "fingerprint": "53287718884905b6ca92ad302d785c541fe61be49ab79e13bdf874439212451c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(binaryPath,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53287718884905b6ca92ad302d785c541fe61be49ab79e13bdf874439212451c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/copyover/copyover.go"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 123520, "scanner": "repobility-threat-engine", "fingerprint": "78264f8ab14951e4b78864da6011df583675318eb2147ff03ca92aee191e14fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78264f8ab14951e4b78864da6011df583675318eb2147ff03ca92aee191e14fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/pets/pets.go"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 123519, "scanner": "repobility-threat-engine", "fingerprint": "96a6b73daef434621e518c6df29138eee46a30c35cc0365b6ea82750febcfb55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96a6b73daef434621e518c6df29138eee46a30c35cc0365b6ea82750febcfb55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/hooks/NewRound_UserRoundTick.go"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 123518, "scanner": "repobility-threat-engine", "fingerprint": "18d849d8e48733327f954500bd593692ccb8cc8dfb0100e008d6152891570dd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18d849d8e48733327f954500bd593692ccb8cc8dfb0100e008d6152891570dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/connections/connections.go"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 123508, "scanner": "repobility-threat-engine", "fingerprint": "1e9f26d7e5fbd3754c96aa25f955e43117a22ea8144dabe202bd5fdbedf44bcd", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(stdout, \"New admin password: \"<redacted>", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|cmd/reset-admin-pw/main.go|8|print stdout new admin password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/reset-admin-pw/main.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 123507, "scanner": "repobility-threat-engine", "fingerprint": "f195464625679208dae13161df4134e4f1d0f4580aef9f8677d7df70b45ee0bf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f195464625679208dae13161df4134e4f1d0f4580aef9f8677d7df70b45ee0bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/modmanager/registry.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 123506, "scanner": "repobility-threat-engine", "fingerprint": "73cc0a1d815828f5a92f0668d7837b4a6ad3c718571fc2db90ca1ca12a77f703", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73cc0a1d815828f5a92f0668d7837b4a6ad3c718571fc2db90ca1ca12a77f703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/modmanager/install.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 123502, "scanner": "repobility-threat-engine", "fingerprint": "26004f90ab6becc1aedd4e26b0ddee2d35040c541f02185946027d7977cf183b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(regexPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26004f90ab6becc1aedd4e26b0ddee2d35040c541f02185946027d7977cf183b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/triggers.js"}, "region": {"startLine": 177}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 123499, "scanner": "repobility-threat-engine", "fingerprint": "3226e1d241cfa195eb6b0c6242958215d41507e6f8831c059b24440afdc05129", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "zoneInfo.Mutators.Update(evt.RoundNumber)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3226e1d241cfa195eb6b0c6242958215d41507e6f8831c059b24440afdc05129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/hooks/NewRound_UpdateZoneMutators.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 123498, "scanner": "repobility-threat-engine", "fingerprint": "43f8410f0f1a39bafaaa13ab8bfbb4031bed4cc08d7610e7b4a7ecf6a6b51ee7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "plugins.Save()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43f8410f0f1a39bafaaa13ab8bfbb4031bed4cc08d7610e7b4a7ecf6a6b51ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "copyover.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 123497, "scanner": "repobility-threat-engine", "fingerprint": "bd19f8c88d1058671a0eedf8c5d4a158fc052e0356d8ea9f1c13814155f2c44c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.activeAudios.delete(audio);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd19f8c88d1058671a0eedf8c5d4a158fc052e0356d8ea9f1c13814155f2c44c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/mp3.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 123492, "scanner": "repobility-threat-engine", "fingerprint": "21f7479e9d6524dadf9a1c25ae7d393c0895626c2ed395ad53df776704c6d63c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<span class=\"sd-title\">${title}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21f7479e9d6524dadf9a1c25ae7d393c0895626c2ed395ad53df776704c6d63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/admin/static/js/select-dialog.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123574, "scanner": "repobility-supply-chain", "fingerprint": "bc91d9c3b3d24b729037b18e49f210ed10ecccdbe05c279496fd84977cd9433e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc91d9c3b3d24b729037b18e49f210ed10ecccdbe05c279496fd84977cd9433e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/discord-notify.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 123526, "scanner": "repobility-threat-engine", "fingerprint": "aaca6fe3b90890082a9dfc5a914e953c7960885c75710f80b0f428d9e325ae3b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aaca6fe3b90890082a9dfc5a914e953c7960885c75710f80b0f428d9e325ae3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/web/admin_items.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 123504, "scanner": "repobility-threat-engine", "fingerprint": "bba3ea887d8af0b993b8195349e674945afd1a6715c619826c4c4ab81c684d6c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bba3ea887d8af0b993b8195349e674945afd1a6715c619826c4c4ab81c684d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_datafiles/html/public/static/js/triggers.js"}, "region": {"startLine": 193}}}]}]}]}