{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 49 more): Same pattern found in 49 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 32 more): Same pattern found in 32 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` unpinned: `container/servi", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` unpinned: `container/services image: ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` without `@sha256:...` pulls a mutable tag at workflow-run tim"}, "fullDescription": {"text": "Replace with `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4.1.7`: `uses: actions/download-artifact@v4.1.7` ", "shortDescription": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4.1.7`: `uses: actions/download-artifact@v4.1.7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-"}, "fullDescription": {"text": "Replace with: `uses: actions/download-artifact@<40-char-sha>  # v4.1.7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `tauri-plugin-{{ plugin_name }}-api` pulled from URL/Git: `dependencies.tauri-plugin-{{ plug", "shortDescription": {"text": "[MINED122] package.json dep `tauri-plugin-{{ plugin_name }}-api` pulled from URL/Git: `dependencies.tauri-plugin-{{ plugin_name }}-api` = `file:../../` bypasses the npm registry. No integrity hash, no version locking, no registry-side scann"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.", "shortDescription": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.BENCH_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, whic", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.BENCH_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BENCH_PAT }` lets a PR from any fork exfiltrate the secret (modify"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/757"}, "properties": {"repository": "tauri-apps/tauri", "repoUrl": "https://github.com/tauri-apps/tauri", "branch": "dev"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 62994, "scanner": "repobility-agent-runtime", "fingerprint": "ee385e8b66f93d857f77c848a2c33814ed2ef43191871f26738cbc8d5ad2df06", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ee385e8b66f93d857f77c848a2c33814ed2ef43191871f26738cbc8d5ad2df06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-js.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 62981, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 62936, "scanner": "repobility-threat-engine", "fingerprint": "ca0668a0ad4fdc5bbd9a71334ba4d4f75ef7f8dba4d4ad7d545d7c626c7da94a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|36|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/init.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 62935, "scanner": "repobility-threat-engine", "fingerprint": "3ab4af5907283add98f4852c67f1393a229c2066f9f13c4d3b6e81f39c2aeb6c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/ci/check-change-tags.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76f4bd06931d62948c4818041290be8a8b11ebdc616c7f2e536ee374c7291c48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-utils/src/html.rs", "duplicate_line": 219, "correlation_key": "fp|76f4bd06931d62948c4818041290be8a8b11ebdc616c7f2e536ee374c7291c48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-utils/src/html2.rs"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc2b277bfb3312b2be088e59859f76824233c392ac7f2bad257556307ccb709c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-utils/src/config/parse.rs", "duplicate_line": 53, "correlation_key": "fp|bc2b277bfb3312b2be088e59859f76824233c392ac7f2bad257556307ccb709c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-utils/src/config_v1/parse.rs"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3ccca336356e25ad81117194353c0bd64e6fbfeaa8145ca56a8da88227e1a8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-runtime-wry/build.rs", "duplicate_line": 1, "correlation_key": "fp|b3ccca336356e25ad81117194353c0bd64e6fbfeaa8145ca56a8da88227e1a8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-runtime/build.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a736603425e2319a6d331c1726d9b8654d25ac175f5b7b187c6b6262d5ade10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/plugin/android.rs", "duplicate_line": 17, "correlation_key": "fp|2a736603425e2319a6d331c1726d9b8654d25ac175f5b7b187c6b6262d5ade10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/plugin/ios.rs"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62989, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22d34a11f30986e05f24597bd4487ac5ccf55fc048b4193a57a605895992b0a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/android/android_studio_script.rs", "duplicate_line": 35, "correlation_key": "fp|22d34a11f30986e05f24597bd4487ac5ccf55fc048b4193a57a605895992b0a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/xcode_script.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69d78ef0942fe4b21ea8526ff6a05bd42d2b450658dbc907be9b51d2b8236f9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/ios/dev.rs", "duplicate_line": 97, "correlation_key": "fp|69d78ef0942fe4b21ea8526ff6a05bd42d2b450658dbc907be9b51d2b8236f9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/run.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64e416054f82e2c3a9e9811c9cbec0940ae01c34285ee2c38c511742e113d85a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/android/run.rs", "duplicate_line": 18, "correlation_key": "fp|64e416054f82e2c3a9e9811c9cbec0940ae01c34285ee2c38c511742e113d85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/run.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "836e5087354abe5b207c051a1ab315b068e88df7979e6e0a76856a964a1e3170", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/ios/build.rs", "duplicate_line": 180, "correlation_key": "fp|836e5087354abe5b207c051a1ab315b068e88df7979e6e0a76856a964a1e3170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/dev.rs"}, "region": {"startLine": 155}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62985, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a146b361d60c604c6b17d1295259c4b95d34bffadc63c28072260b2576e5fe7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/android/dev.rs", "duplicate_line": 35, "correlation_key": "fp|0a146b361d60c604c6b17d1295259c4b95d34bffadc63c28072260b2576e5fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/dev.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62984, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0b6d449675230fe45ad3d06d24c4dae0580745772e088ffa246c2fc036a6bcc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-cli/src/mobile/android/build.rs", "duplicate_line": 48, "correlation_key": "fp|a0b6d449675230fe45ad3d06d24c4dae0580745772e088ffa246c2fc036a6bcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/ios/build.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62983, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ffda1181ae4a12e905d4b4f03fa6f6bb7123a81152f0d3025c26e4cf85274a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-bundler/src/error.rs", "duplicate_line": 80, "correlation_key": "fp|0ffda1181ae4a12e905d4b4f03fa6f6bb7123a81152f0d3025c26e4cf85274a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/error.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62982, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f705f9afdb657980ddc329d7312dc09415ab7e13158a115fe159d5cf3696bfb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/tauri-build/src/lib.rs", "duplicate_line": 91, "correlation_key": "fp|8f705f9afdb657980ddc329d7312dc09415ab7e13158a115fe159d5cf3696bfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/utils/fs_utils.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 62971, "scanner": "repobility-threat-engine", "fingerprint": "31cfe034f7d93b016997e51d1d01d0ffe0ab1f2b5cee2c8edd914a92a3c53c4c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|31cfe034f7d93b016997e51d1d01d0ffe0ab1f2b5cee2c8edd914a92a3c53c4c", "aggregated_count": 6}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 62970, "scanner": "repobility-threat-engine", "fingerprint": "5debe31012d7236525d28d7dfc62032c77c6f9cdeb70ed5828df3e74880bcb94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5debe31012d7236525d28d7dfc62032c77c6f9cdeb70ed5828df3e74880bcb94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-runtime-wry/src/dialog/windows.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 62969, "scanner": "repobility-threat-engine", "fingerprint": "aa65d577a26260ac6c6ebedb44c7a566c693bcca04080d9f76c6266e2de2f785", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa65d577a26260ac6c6ebedb44c7a566c693bcca04080d9f76c6266e2de2f785"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/helpers/flock.rs"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 62968, "scanner": "repobility-threat-engine", "fingerprint": "8459a7af28b5ccce9230f9d5e3c73d50ecdc53cd0faf967a7099e5092768e2e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8459a7af28b5ccce9230f9d5e3c73d50ecdc53cd0faf967a7099e5092768e2e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/windows/util.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62967, "scanner": "repobility-threat-engine", "fingerprint": "3c1eb41b87b4d4ddbbfc85cd56b1164f5889567c25abf9343773626880220905", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c1eb41b87b4d4ddbbfc85cd56b1164f5889567c25abf9343773626880220905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-driver/src/server.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62966, "scanner": "repobility-threat-engine", "fingerprint": "ebb9d6fd7bb6b9b6b9e378353f03c6643b5614d78d0b07c0f976c7f7cab918bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebb9d6fd7bb6b9b6b9e378353f03c6643b5614d78d0b07c0f976c7f7cab918bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/dev.rs"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62965, "scanner": "repobility-threat-engine", "fingerprint": "9a7fa37d4bcf2fcf8b852c8e97b1734dedf00ebb7789c0a7db8362e7d26c9795", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a7fa37d4bcf2fcf8b852c8e97b1734dedf00ebb7789c0a7db8362e7d26c9795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/macos/ios.rs"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "properties": {"repobilityId": 62958, "scanner": "repobility-threat-engine", "fingerprint": "22a593052dcadf66a4528aa7fc43cbbf7202c3b8d168064edf3adeb985ed5ce8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|22a593052dcadf66a4528aa7fc43cbbf7202c3b8d168064edf3adeb985ed5ce8", "aggregated_count": 49}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 62954, "scanner": "repobility-threat-engine", "fingerprint": "a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "aggregated_count": 1}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 62950, "scanner": "repobility-threat-engine", "fingerprint": "f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "aggregated_count": 6}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 62949, "scanner": "repobility-threat-engine", "fingerprint": "394c4dcb6ba4490d6540d63c0580b26f19150f361fb7a212944afc376bade184", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|394c4dcb6ba4490d6540d63c0580b26f19150f361fb7a212944afc376bade184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/acl/capability/new.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 62948, "scanner": "repobility-threat-engine", "fingerprint": "876a60a5cd0e95ae0f0076e30159aa6aef7887c2dbd24e860b8ca07d8815abf8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|876a60a5cd0e95ae0f0076e30159aa6aef7887c2dbd24e860b8ca07d8815abf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/utils.rs"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 62947, "scanner": "repobility-threat-engine", "fingerprint": "8c0375cff966956ba21d440ca4381c20ed6fb3d8d25a2dbdef862fe9db14e51d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c0375cff966956ba21d440ca4381c20ed6fb3d8d25a2dbdef862fe9db14e51d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/build_benchmark_jsons.rs"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 62946, "scanner": "repobility-threat-engine", "fingerprint": "69aac443dc61308a1e09b2e9848addc2897700644fc2a77e7b0bec7dcc0010c2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|69aac443dc61308a1e09b2e9848addc2897700644fc2a77e7b0bec7dcc0010c2", "aggregated_count": 32}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 62945, "scanner": "repobility-threat-engine", "fingerprint": "f0414bcfdd5012a554acc84bececfcdd2595f3875cda01f951393165feb1fb2d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0414bcfdd5012a554acc84bececfcdd2595f3875cda01f951393165feb1fb2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/linux/rpm.rs"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 62944, "scanner": "repobility-threat-engine", "fingerprint": "e100a15b3caf26f0a9529ef4827f560a5d19c65e7eb14c10e67001629d490d0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e100a15b3caf26f0a9529ef4827f560a5d19c65e7eb14c10e67001629d490d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/linux/appimage/linuxdeploy.rs"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 62943, "scanner": "repobility-threat-engine", "fingerprint": "e0995329900a421e038860f71920503b79a6f0e5fd1a60bf51654758b262c8e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0995329900a421e038860f71920503b79a6f0e5fd1a60bf51654758b262c8e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/build_benchmark_jsons.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 62942, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62941, "scanner": "repobility-threat-engine", "fingerprint": "bb26c7b4ce4a4a4a0444a760d5928d994d7c462bb42f9e2274b0f88bc0225e01", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb26c7b4ce4a4a4a0444a760d5928d994d7c462bb42f9e2274b0f88bc0225e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/ci/sync-cli-metadata.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62940, "scanner": "repobility-threat-engine", "fingerprint": "94602d8d03ba28bddbca1fa4c3293cd1e0cd6bb8cadf17480c431d65c5fff99b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94602d8d03ba28bddbca1fa4c3293cd1e0cd6bb8cadf17480c431d65c5fff99b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/ci/check-license-header.js"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62939, "scanner": "repobility-threat-engine", "fingerprint": "5cddc3bb58cf56f1e733a13de8723415ac95e524de89318a62ff99fd38b8c390", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5cddc3bb58cf56f1e733a13de8723415ac95e524de89318a62ff99fd38b8c390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/ci/check-change-tags.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` unpinned: `container/services image: ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 63022, "scanner": "repobility-supply-chain", "fingerprint": "dd1e43f66c30e463fc071fed50a66b7ea5f1c1c6daf980d3fcd32fd9f5c248ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd1e43f66c30e463fc071fed50a66b7ea5f1c1c6daf980d3fcd32fd9f5c248ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-js.yml"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4.1.7`: `uses: actions/download-artifact@v4.1.7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63020, "scanner": "repobility-supply-chain", "fingerprint": "8c1a3a7c29aed6a6c68fcf3085421fd0d970101c1dfbc6ed8c6d424894323c33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c1a3a7c29aed6a6c68fcf3085421fd0d970101c1dfbc6ed8c6d424894323c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63019, "scanner": "repobility-supply-chain", "fingerprint": "58a55e941dd2524e36ce7d5bff0f9e95d1f923e9ea992023314197cb5b3c1f51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58a55e941dd2524e36ce7d5bff0f9e95d1f923e9ea992023314197cb5b3c1f51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63018, "scanner": "repobility-supply-chain", "fingerprint": "1f99d90f08c21cd09e270b2f91ea36e3797835d3d8eb21fec6d4638bc262f76a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f99d90f08c21cd09e270b2f91ea36e3797835d3d8eb21fec6d4638bc262f76a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63017, "scanner": "repobility-supply-chain", "fingerprint": "10c8a77460b551bbe9b42d3e2de4e31a6e3401b78649433534da0c5f216bf120", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10c8a77460b551bbe9b42d3e2de4e31a6e3401b78649433534da0c5f216bf120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63016, "scanner": "repobility-supply-chain", "fingerprint": "40c136108a3bb18bc5ef3973eff8a2f552b31d5b5bd1630e259ff59b616a4d2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40c136108a3bb18bc5ef3973eff8a2f552b31d5b5bd1630e259ff59b616a4d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63015, "scanner": "repobility-supply-chain", "fingerprint": "4a07e89c78fa9f9729c137acb609da064bf1ba04965e1eb4a663da8eabe6c778", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a07e89c78fa9f9729c137acb609da064bf1ba04965e1eb4a663da8eabe6c778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63014, "scanner": "repobility-supply-chain", "fingerprint": "a0641352f8d2ac44e72ade87d78f1b514ad5b1f27319495bb362797f31ae234e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0641352f8d2ac44e72ade87d78f1b514ad5b1f27319495bb362797f31ae234e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63013, "scanner": "repobility-supply-chain", "fingerprint": "a26746f9625d27ce4c9da76554597cea41dd879f2b78830e9267340d0b4f624b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a26746f9625d27ce4c9da76554597cea41dd879f2b78830e9267340d0b4f624b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4.1.7`: `uses: actions/download-artifact@v4.1.7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63012, "scanner": "repobility-supply-chain", "fingerprint": "428cb01bca5677cc8af852d9d1305e25bfa9890976ec47494c9a73a06bff679c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|428cb01bca5677cc8af852d9d1305e25bfa9890976ec47494c9a73a06bff679c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63011, "scanner": "repobility-supply-chain", "fingerprint": "7b5581ba9aa83f7057b10a61f43bed700114d33a4435ad7f1781326e4b4b1340", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b5581ba9aa83f7057b10a61f43bed700114d33a4435ad7f1781326e4b4b1340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63010, "scanner": "repobility-supply-chain", "fingerprint": "6259385d37a32910ebe68e6c400289cefa091a09b24c7270e394e3c0d897d262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6259385d37a32910ebe68e6c400289cefa091a09b24c7270e394e3c0d897d262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63009, "scanner": "repobility-supply-chain", "fingerprint": "1c3563533fb736f66fee46a8bc7d36e16faee1ffad2edf0cd73aa175437dc567", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c3563533fb736f66fee46a8bc7d36e16faee1ffad2edf0cd73aa175437dc567"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63008, "scanner": "repobility-supply-chain", "fingerprint": "54c196d721bcc9cfe7b56a8adac00144b0aeb4b96014b3159be55eeefff279b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54c196d721bcc9cfe7b56a8adac00144b0aeb4b96014b3159be55eeefff279b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63007, "scanner": "repobility-supply-chain", "fingerprint": "5f5289732cdee83f95b6cc97b63cb406e8a2d329d23cc0c995414eb060e35f01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5289732cdee83f95b6cc97b63cb406e8a2d329d23cc0c995414eb060e35f01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63006, "scanner": "repobility-supply-chain", "fingerprint": "f32813b535526f129e72923f8416f9c818b8696105bbcf01c648295a6aba7911", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f32813b535526f129e72923f8416f9c818b8696105bbcf01c648295a6aba7911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-cli-rs.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dorny/paths-filter` pinned to mutable ref `@v3`: `uses: dorny/paths-filter@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63005, "scanner": "repobility-supply-chain", "fingerprint": "1f0cc5e0c49d6938a9d78c3730744730c24ccc7cbd2ebc5ada2593ed8f802828", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f0cc5e0c49d6938a9d78c3730744730c24ccc7cbd2ebc5ada2593ed8f802828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-license-header.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63004, "scanner": "repobility-supply-chain", "fingerprint": "1743495f02dbab58239a21eae74eb24794d979e1bcaeaae043263ec0222f0eaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1743495f02dbab58239a21eae74eb24794d979e1bcaeaae043263ec0222f0eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-license-header.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63003, "scanner": "repobility-supply-chain", "fingerprint": "a5e3732eb2dda23534c36bf492c8c71d5e0e02869e4c9980f32ab1620d83ac68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5e3732eb2dda23534c36bf492c8c71d5e0e02869e4c9980f32ab1620d83ac68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`: `uses: dtolnay/rust-toolchain@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63002, "scanner": "repobility-supply-chain", "fingerprint": "8789fa9ee93e1450d7e8411134dd11c0708327cf236c3b977fb388a998a69a95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8789fa9ee93e1450d7e8411134dd11c0708327cf236c3b977fb388a998a69a95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63001, "scanner": "repobility-supply-chain", "fingerprint": "a892ca374b3c5c76645cad242e0c2452a463bd6b46b3796d483a1b8023625983", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a892ca374b3c5c76645cad242e0c2452a463bd6b46b3796d483a1b8023625983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63000, "scanner": "repobility-supply-chain", "fingerprint": "41e2df437c175a199bcac6aaa77169ae347dec7c74b5467206822c1e441ec527", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41e2df437c175a199bcac6aaa77169ae347dec7c74b5467206822c1e441ec527"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-js.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62999, "scanner": "repobility-supply-chain", "fingerprint": "12bac9197298709a9164f9cb892422e32acd9c45d31a9bf22ea4b9689695de3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12bac9197298709a9164f9cb892422e32acd9c45d31a9bf22ea4b9689695de3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-js.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62998, "scanner": "repobility-supply-chain", "fingerprint": "b681ebbcacfbc19eeb5e17351258e40090273752846a8db39409a1cdd5523820", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b681ebbcacfbc19eeb5e17351258e40090273752846a8db39409a1cdd5523820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-js.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62997, "scanner": "repobility-supply-chain", "fingerprint": "27291568f187f05a41c9aade7c611ed834dcd6d54bef91ba4be21651f0e3ee9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27291568f187f05a41c9aade7c611ed834dcd6d54bef91ba4be21651f0e3ee9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-js.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62996, "scanner": "repobility-supply-chain", "fingerprint": "6967bde249217fe95ac9a10237a4ccba3b7c40cf8ed795b993fd916a40dfbaeb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6967bde249217fe95ac9a10237a4ccba3b7c40cf8ed795b993fd916a40dfbaeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/covector-status.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `tauri-plugin-{{ plugin_name }}-api` pulled from URL/Git: `dependencies.tauri-plugin-{{ plugin_name }}-api` = `file:../../` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 62995, "scanner": "repobility-supply-chain", "fingerprint": "4b3a6d028b9d4e51aeca4731324a82f9100722ef19a4d31ec4c93bab71d0f796", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b3a6d028b9d4e51aeca4731324a82f9100722ef19a4d31ec4c93bab71d0f796"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/templates/plugin/__example-api/tauri-app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 62980, "scanner": "repobility-threat-engine", "fingerprint": "3a245a72e2aa0036d8e185c9150b496340cdc928a22f4ceb8a7dbebff2cc6005", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a245a72e2aa0036d8e185c9150b496340cdc928a22f4ceb8a7dbebff2cc6005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/mobile/ios-api/Sources/Tauri/Tauri.swift"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 62979, "scanner": "repobility-threat-engine", "fingerprint": "309578c2b4d74765aa8484f70c427717acbc87a1a4e023b431ecdb4b39ebb12d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|309578c2b4d74765aa8484f70c427717acbc87a1a4e023b431ecdb4b39ebb12d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/mobile/android/src/main/java/app/tauri/plugin/PluginManager.kt"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 62978, "scanner": "repobility-threat-engine", "fingerprint": "3486c4a87a5b1187c7ba619bef200e4a2147dc60cdc75b6dc7c778e282409092", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3486c4a87a5b1187c7ba619bef200e4a2147dc60cdc75b6dc7c778e282409092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/mobile/android/src/main/java/app/tauri/FsUtils.kt"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 62977, "scanner": "repobility-threat-engine", "fingerprint": "be163a3a337ca3f795fcb52a095e104236aaac87271ac6544d2c2204c0f64b56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be163a3a337ca3f795fcb52a095e104236aaac87271ac6544d2c2204c0f64b56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/mobile/android/src/main/java/app/tauri/AppPlugin.kt"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 62976, "scanner": "repobility-threat-engine", "fingerprint": "f064fa7fcd2b3de1f2c676f57580dc228d44336a5cf88ea8b567dac688848039", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f064fa7fcd2b3de1f2c676f57580dc228d44336a5cf88ea8b567dac688848039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-utils/src/acl/identifier.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 62975, "scanner": "repobility-threat-engine", "fingerprint": "3eb9f78d823d955f8a33841de24ad03db8561d89aa0b0793dc92b9045355de3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3eb9f78d823d955f8a33841de24ad03db8561d89aa0b0793dc92b9045355de3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/add.rs"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62974, "scanner": "repobility-threat-engine", "fingerprint": "41a6785cb989a3b32f5f91418365b92e5a0f9a669c68a991072bfdc339c23647", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "callbacks.delete(id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41a6785cb989a3b32f5f91418365b92e5a0f9a669c68a991072bfdc339c23647"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/scripts/core.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62973, "scanner": "repobility-threat-engine", "fingerprint": "00077fbc25e28994d6d3d3d73b37f3b773acc9fbb9f5fd21bdc8afc2b351db23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(bytes);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00077fbc25e28994d6d3d3d73b37f3b773acc9fbb9f5fd21bdc8afc2b351db23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-codegen/src/lib.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62972, "scanner": "repobility-threat-engine", "fingerprint": "cb03d5f355f2e41a25a0e227c33bf61f9362787c5de934b34ea130707640d13e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(data);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb03d5f355f2e41a25a0e227c33bf61f9362787c5de934b34ea130707640d13e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/utils/http_utils.rs"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62964, "scanner": "repobility-threat-engine", "fingerprint": "9f0d17aa9e254ae4a10a60a31e4f6a27134abf0c43c72fec76ad39b825404e41", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f0d17aa9e254ae4a10a60a31e4f6a27134abf0c43c72fec76ad39b825404e41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri/mobile/ios-api/Sources/Tauri/Tauri.swift"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62963, "scanner": "repobility-threat-engine", "fingerprint": "3cac4d7f4fd69603ee16106e47a311008664a3bd03194b428efb9d6e8fde6fe4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3cac4d7f4fd69603ee16106e47a311008664a3bd03194b428efb9d6e8fde6fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/utils/http_utils.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62962, "scanner": "repobility-threat-engine", "fingerprint": "e51e3ce1bd21f6b5fc8f23ed600752b8a3da7b276fd3793565c6a83abd34fd75", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e51e3ce1bd21f6b5fc8f23ed600752b8a3da7b276fd3793565c6a83abd34fd75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/linux/rpm.rs"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 62961, "scanner": "repobility-threat-engine", "fingerprint": "6351e27a9a94691063ad1fbe954df4bab66d5e8f93123905fb2107b95a151489", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6351e27a9a94691063ad1fbe954df4bab66d5e8f93123905fb2107b95a151489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-runtime-wry/src/dialog/mod.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 62960, "scanner": "repobility-threat-engine", "fingerprint": "c2a7fb38f5d65f01a857434b6586bc55423cfcacb6b06af745ea1a3b3ecb1891", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2a7fb38f5d65f01a857434b6586bc55423cfcacb6b06af745ea1a3b3ecb1891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-build/src/mobile.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 62959, "scanner": "repobility-threat-engine", "fingerprint": "803742e7c512f19b74fbf1c321d3e39e8120e91c5b73b1fb2ed4171458af4667", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|803742e7c512f19b74fbf1c321d3e39e8120e91c5b73b1fb2ed4171458af4667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/utils.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 62957, "scanner": "repobility-threat-engine", "fingerprint": "a3393488a31a362021a34d9ec608d6a2fd6f2e34c249d466a1cf8a11973e470f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3393488a31a362021a34d9ec608d6a2fd6f2e34c249d466a1cf8a11973e470f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/linux/appimage/linuxdeploy.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 62956, "scanner": "repobility-threat-engine", "fingerprint": "efac30db490de20a0eaa35881ea8f9045c4a0dc42bed1f0f169ad85e74c08eef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efac30db490de20a0eaa35881ea8f9045c4a0dc42bed1f0f169ad85e74c08eef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-build/src/static_vcruntime.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 62955, "scanner": "repobility-threat-engine", "fingerprint": "13c7acfd66a38b6e32fd3606602ade006d55d9fa356b4337584ab4ac6417004b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13c7acfd66a38b6e32fd3606602ade006d55d9fa356b4337584ab4ac6417004b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/utils.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 62953, "scanner": "repobility-threat-engine", "fingerprint": "c6931e73908b96af589b157d6b6820c598a41c4e876d21e83483f1b5d9eba9be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6931e73908b96af589b157d6b6820c598a41c4e876d21e83483f1b5d9eba9be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-bundler/src/bundle/windows/sign.rs"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 62952, "scanner": "repobility-threat-engine", "fingerprint": "a419f7b04056850409df0a677dce082cdce7f35ad9b6672d76d3625dc6e60f6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a419f7b04056850409df0a677dce082cdce7f35ad9b6672d76d3625dc6e60f6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/utils.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 62951, "scanner": "repobility-threat-engine", "fingerprint": "6f9d6effe3c5d3c6ee2c155a6de828ff7b9661ef9c11dbf337560fe22b2f3049", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f9d6effe3c5d3c6ee2c155a6de828ff7b9661ef9c11dbf337560fe22b2f3049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/src/run_benchmark.rs"}, "region": {"startLine": 353}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 62938, "scanner": "repobility-threat-engine", "fingerprint": "aa0f68cb11173b323518c364c30174e58b69d2efeda28572028952fb3bfc11ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n    target", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa0f68cb11173b323518c364c30174e58b69d2efeda28572028952fb3bfc11ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/tauri-cli/src/mobile/init.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 62937, "scanner": "repobility-threat-engine", "fingerprint": "1f22291caa6083f5de5d4fbd89f81b6e52b9c45314d128541a5118e8cb64d459", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f22291caa6083f5de5d4fbd89f81b6e52b9c45314d128541a5118e8cb64d459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/ci/check-change-tags.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BENCH_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BENCH_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63021, "scanner": "repobility-supply-chain", "fingerprint": "9e75e027961f64263ad844f9fc4dc584542eb3a4c3c0bc6758fea5b3abe93598", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e75e027961f64263ad844f9fc4dc584542eb3a4c3c0bc6758fea5b3abe93598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bench.yml"}, "region": {"startLine": 78}}}]}]}]}