{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hcf7-66rw-9f5r", "name": "turbo: GHSA-hcf7-66rw-9f5r", "shortDescription": {"text": "turbo: GHSA-hcf7-66rw-9f5r"}, "fullDescription": {"text": "Trubo: Login callback CSRF/session fixation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fm4j-4xhm-xpwx", "name": "sandbox: GHSA-fm4j-4xhm-xpwx", "shortDescription": {"text": "sandbox: GHSA-fm4j-4xhm-xpwx"}, "fullDescription": {"text": "Sandbox Breakout / Arbitrary Code Execution in sandbox"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@opentelemetry/sdk-trace-base` is 1 major version(s) behind (1.25.1 -> 2.7.1)", "shortDescription": {"text": "npm package `@opentelemetry/sdk-trace-base` is 1 major version(s) behind (1.25.1 -> 2.7.1)"}, "fullDescription": {"text": "`@opentelemetry/sdk-trace-base` is pinned/resolved at 1.25.1 but the latest stable release on the npm registry is 2.7.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "GHSA-3qcw-2rhx-2726", "name": "turbo: GHSA-3qcw-2rhx-2726", "shortDescription": {"text": "turbo: GHSA-3qcw-2rhx-2726"}, "fullDescription": {"text": "Turbo: Unexpected local code execution during Yarn Berry detection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-654m-c8p4-x5fp", "name": "axios: GHSA-654m-c8p4-x5fp", "shortDescription": {"text": "axios: GHSA-654m-c8p4-x5fp"}, "fullDescription": {"text": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution \u2014 Incomplete Null-Prototype Fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source (and 89 more): Same pattern found in 89 additional files. Review if needed.", "shortDescription": {"text": "[MINED047] Emoji In Source (and 89 more): Same pattern found in 89 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 21 more): Same pattern found in 21 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 161 more): Same pattern found in 161 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 161 more): Same pattern found in 161 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 22 more): Same pattern found in 22 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MAL-2026-5187", "name": "supabase: MAL-2026-5187", "shortDescription": {"text": "supabase: MAL-2026-5187"}, "fullDescription": {"text": "Malicious code in supabase (npm)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q7rr-3cgh-j5r3", "name": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3", "shortDescription": {"text": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3"}, "fullDescription": {"text": "Prometheus exporter process crash via malformed HTTP request"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /items/ has no auth", "shortDescription": {"text": "Express POST /items/ has no auth"}, "fullDescription": {"text": "Express route POST /items/ declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc25-3vc5-2jf9", "name": "sandbox: GHSA-gc25-3vc5-2jf9", "shortDescription": {"text": "sandbox: GHSA-gc25-3vc5-2jf9"}, "fullDescription": {"text": "Sandbox Breakout / Arbitrary Code Execution in sandbox"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "vercel-token", "name": "Vercel Token", "shortDescription": {"text": "Vercel Token"}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED133", "name": "Hardcoded Slack webhook URL in source", "shortDescription": {"text": "Hardcoded Slack webhook URL in source"}, "fullDescription": {"text": "File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T123/B456/SECRETKEY...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIT_CRYPT_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1385"}, "properties": {"repository": "smith-horn/skillsmith", "repoUrl": "https://github.com/smith-horn/skillsmith", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 142063, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 142058, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 142057, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hcf7-66rw-9f5r", "level": "warning", "message": {"text": "turbo: GHSA-hcf7-66rw-9f5r"}, "properties": {"repobilityId": 142056, "scanner": "osv-scanner", "fingerprint": "22e99a428281b6299a1d085daa3c0c79e799caeda172da31f17d5e028624807d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45773"], "package": "turbo", "rule_id": "GHSA-hcf7-66rw-9f5r", "scanner": "osv-scanner", "correlation_key": "vuln|turbo|CVE-2026-45773|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 142052, "scanner": "osv-scanner", "fingerprint": "7524b2ee2a7a8641d90f93c865cb4b021e4581583c99bf016e5fd1d2d1160454", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fm4j-4xhm-xpwx", "level": "warning", "message": {"text": "sandbox: GHSA-fm4j-4xhm-xpwx"}, "properties": {"repobilityId": 142050, "scanner": "osv-scanner", "fingerprint": "96823ede5e9be774d832671461c3d510da6e0ac5e5f8483e0982c219d96cbe6b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "sandbox", "rule_id": "GHSA-fm4j-4xhm-xpwx", "scanner": "osv-scanner", "correlation_key": "vuln|sandbox|GHSA-FM4J-4XHM-XPWX|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 142049, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 142048, "scanner": "osv-scanner", "fingerprint": "f8e3114b3f74e8695a460fbf4c7ae43ac53a5f8ec4039006650c458651172ab1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 142047, "scanner": "osv-scanner", "fingerprint": "49282a15bbfc9e6e6ea39695b12f6c9658d0e8207bad45ad113b356e942bd130", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 142046, "scanner": "osv-scanner", "fingerprint": "361c021f739f5706f364aeccb9438f92bf87afe76b41db2d0e63dcd5fd65c6ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 142045, "scanner": "osv-scanner", "fingerprint": "25e1fe71f60ecac7a62fc842d6f8859077b12d636fc68e35c189c726a481c5e5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 142044, "scanner": "osv-scanner", "fingerprint": "424de426cd602f1c8b6679b49b7bfe47ca14575769f019abfeaa4836511a1e32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 142039, "scanner": "osv-scanner", "fingerprint": "e0f789ea8b2d8f62959bbaf20e3ba5535e687b8c3be953373597bdc70b626254", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 142007, "scanner": "repobility-threat-engine", "fingerprint": "f33b4dafff9eda183e75a83c603c1f3cec5b4bb9de06825fd87711d2e4c561f7", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/pooler-psql.sh|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pooler-psql.sh"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 142006, "scanner": "repobility-threat-engine", "fingerprint": "92152c562a40ad97192c14571dd49672bb8c996b7d61b60bdd334266fcd6252e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pooler-psql-session.sh"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 142005, "scanner": "repobility-threat-engine", "fingerprint": "c32939e941f1c585a6b9ef1ca4f1d4bda42ce778e68a3be06413fe1a2f8ceafc", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|7|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/apply-075-audit-logs-index.sh"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 141998, "scanner": "repobility-threat-engine", "fingerprint": "79d6e92539d7fb90575d9fe03abd0861f1318919aa171ee7606320092c835572", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"your_key_here\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79d6e92539d7fb90575d9fe03abd0861f1318919aa171ee7606320092c835572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/middleware/errorFormatter.builders.ts"}, "region": {"startLine": 218}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 141996, "scanner": "repobility-threat-engine", "fingerprint": "12941af796c32ec4495d2dcfa4638a40f1701983fa69f5f8cdc57da4f10d840d", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern)\n    return regex.test(value)\n  } catch {\n    // Invalid regex - fall back to saf", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12941af796c32ec4495d2dcfa4638a40f1701983fa69f5f8cdc57da4f10d840d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/validation/input-validators.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 141990, "scanner": "repobility-threat-engine", "fingerprint": "387747d06f82511bd6173c7bd5348f62853b99671785b417da90af72d123d8c0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|387747d06f82511bd6173c7bd5348f62853b99671785b417da90af72d123d8c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/skill-manifest.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 141989, "scanner": "repobility-threat-engine", "fingerprint": "2ffd5f81ee383728bccd40513cb1431d6dd2ba95ee6255d90e2c9a01dc9551b9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ffd5f81ee383728bccd40513cb1431d6dd2ba95ee6255d90e2c9a01dc9551b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/skill-installation.io.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 141988, "scanner": "repobility-threat-engine", "fingerprint": "a0a01313e9727d2b5ae9b9a5749f39755a1e2190c5649208f2787e52bdd433d6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0a01313e9727d2b5ae9b9a5749f39755a1e2190c5649208f2787e52bdd433d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/skill-installation.feedback.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 141976, "scanner": "repobility-threat-engine", "fingerprint": "ea55909c713ecdb9e486e9ed16f59d6313c379b2c484952324d220e8f5c5ecf5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivate generateId(): string {\n    return `quota_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea55909c713ecdb9e486e9ed16f59d6313c379b2c484952324d220e8f5c5ecf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/enterprise/src/quota/QuotaEnforcementService.ts"}, "region": {"startLine": 357}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 141975, "scanner": "repobility-threat-engine", "fingerprint": "af7436f81849dd4c92cb2d4237989e742c9d52bedd5c25426cf2cd9d7b4146f5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 20) + 1)\n      this.testKeys.push(key)\n      this.testResults.set(key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af7436f81849dd4c92cb2d4237989e742c9d52bedd5c25426cf2cd9d7b4146f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/benchmarks/cacheBenchmark.ts"}, "region": {"startLine": 280}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 141974, "scanner": "repobility-threat-engine", "fingerprint": "830a5137bbbbba48eb09e3c18daaaa34bb1e6c3101634d428bd0441b4016b1d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2)}`,\n  }\n\n  if (anonKey) {\n    headers['apikey'] = anonKey", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|830a5137bbbbba48eb09e3c18daaaa34bb1e6c3101634d428bd0441b4016b1d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/utils.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141954, "scanner": "repobility-threat-engine", "fingerprint": "729bc694a654e0ab7cf0593ffea85120b73f20b19ef16a9083dc9af5873d65dd", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|67|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/analysis/adapters/java-parsers.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141953, "scanner": "repobility-threat-engine", "fingerprint": "ea9ff586939f8d4731717290006e5f52e69f56c606ab6de6f54837894bc40058", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|80|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/analysis/McpReferenceExtractor.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141952, "scanner": "repobility-threat-engine", "fingerprint": "28fb90b1dad8e05ed447fe1071b9f0f94b0938cd2f242dd10cc3a8cd70415c53", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/diff.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@opentelemetry/sdk-trace-base` is 1 major version(s) behind (1.25.1 -> 2.7.1)"}, "properties": {"repobilityId": 141926, "scanner": "repobility-dependency-currency", "fingerprint": "23b34b47f460fe2f7f7fded4e0324a3982f34c8d14cbf321968be01486a47393", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/sdk-trace-base", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|23b34b47f460fe2f7f7fded4e0324a3982f34c8d14cbf321968be01486a47393", "current_version": "1.25.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@opentelemetry/resources` is 1 major version(s) behind (1.25.1 -> 2.7.1)"}, "properties": {"repobilityId": 141924, "scanner": "repobility-dependency-currency", "fingerprint": "77c78788e416fb50363722b26098bd334c0f6896c1aaa8ea7a58f0c9880f438f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/resources", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|77c78788e416fb50363722b26098bd334c0f6896c1aaa8ea7a58f0c9880f438f", "current_version": "1.25.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vscode/vsce` is 1 major version(s) behind (2.32.0 -> 3.9.2)"}, "properties": {"repobilityId": 141920, "scanner": "repobility-dependency-currency", "fingerprint": "1125e930af55b52d0f348bf89decaedaf7391ecd8511d553cf23af39b335d31b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|1125e930af55b52d0f348bf89decaedaf7391ecd8511d553cf23af39b335d31b", "current_version": "2.32.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `marked` is 3 major version(s) behind (15.0.7 -> 18.0.5)"}, "properties": {"repobilityId": 141918, "scanner": "repobility-dependency-currency", "fingerprint": "4f5cf70b03a720c46e78cce22350f5538c301cb93fba0a0810a474711728a002", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|4f5cf70b03a720c46e78cce22350f5538c301cb93fba0a0810a474711728a002", "current_version": "15.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@linear/sdk` is 58 major version(s) behind (28.0.0 -> 86.0.0)"}, "properties": {"repobilityId": 141916, "scanner": "repobility-dependency-currency", "fingerprint": "b438b7cbaa6b826d319f0be0c5b855cf860971560e075f62c6a1d6773e8bde6d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "58 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@linear/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "86.0.0", "correlation_key": "fp|b438b7cbaa6b826d319f0be0c5b855cf860971560e075f62c6a1d6773e8bde6d", "current_version": "28.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/phase4-orchestrator/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `varlock` is 1 major version(s) behind (0.1.4 -> 1.5.1)"}, "properties": {"repobilityId": 141915, "scanner": "repobility-dependency-currency", "fingerprint": "851368f86f8e83d4322b3ddd2aa31bb1ac2edf83c985aac057bc23d7f7db99f5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "varlock", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.5.1", "correlation_key": "fp|851368f86f8e83d4322b3ddd2aa31bb1ac2edf83c985aac057bc23d7f7db99f5", "current_version": "0.1.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7)"}, "properties": {"repobilityId": 141911, "scanner": "repobility-dependency-currency", "fingerprint": "c8c09a56f6e0c3523c71e964fb69805d72202b9f7252b1d12e57fb4c6a85214c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lint-staged", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.7", "correlation_key": "fp|c8c09a56f6e0c3523c71e964fb69805d72202b9f7252b1d12e57fb4c6a85214c", "current_version": "16.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)"}, "properties": {"repobilityId": 141910, "scanner": "repobility-dependency-currency", "fingerprint": "598c68d1f54ad8f540c697ed6457e280c969a02b3194a7b90ec5e84fffb1f0e1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "globals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.6.0", "correlation_key": "fp|598c68d1f54ad8f540c697ed6457e280c969a02b3194a7b90ec5e84fffb1f0e1", "current_version": "14.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `commander` is 3 major version(s) behind (12.1.0 -> 15.0.0)"}, "properties": {"repobilityId": 141909, "scanner": "repobility-dependency-currency", "fingerprint": "b86370806c5a760e1e7c4b90ba0a7fbf74a08e940a91729012e1b0518dab908f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "commander", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.0", "correlation_key": "fp|b86370806c5a760e1e7c4b90ba0a7fbf74a08e940a91729012e1b0518dab908f", "current_version": "12.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chalk` is 1 major version(s) behind (4.1.2 -> 5.6.2)"}, "properties": {"repobilityId": 141908, "scanner": "repobility-dependency-currency", "fingerprint": "1f2de174311f2b9fd36990e5a0c4909aa0af3fa8f10a35d17edaf3c8a687573b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|1f2de174311f2b9fd36990e5a0c4909aa0af3fa8f10a35d17edaf3c8a687573b", "current_version": "4.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.39.4 -> 10.0.1)"}, "properties": {"repobilityId": 141906, "scanner": "repobility-dependency-currency", "fingerprint": "dd12763b7c002336aa8edfe4278f9574b853dee6922f8b4d7a6bee1dd6bc3c6f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|dd12763b7c002336aa8edfe4278f9574b853dee6922f8b4d7a6bee1dd6bc3c6f", "current_version": "9.39.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `protobufjs` is 1 major version(s) behind (7.5.8 -> 8.6.0)"}, "properties": {"repobilityId": 141905, "scanner": "repobility-dependency-currency", "fingerprint": "1c2dfd33b2d57ea82c398fde8611b10b85a8f9727703502666422c14fdc40263", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "protobufjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.6.0", "correlation_key": "fp|1c2dfd33b2d57ea82c398fde8611b10b85a8f9727703502666422c14fdc40263", "current_version": "7.5.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 142062, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 142061, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 142060, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3qcw-2rhx-2726", "level": "note", "message": {"text": "turbo: GHSA-3qcw-2rhx-2726"}, "properties": {"repobilityId": 142055, "scanner": "osv-scanner", "fingerprint": "5d0583539df0db798024a63af1d6ba022a79afce4a54bbe4c2c21c63d658f6ec", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45772"], "package": "turbo", "rule_id": "GHSA-3qcw-2rhx-2726", "scanner": "osv-scanner", "correlation_key": "vuln|turbo|CVE-2026-45772|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-654m-c8p4-x5fp", "level": "note", "message": {"text": "axios: GHSA-654m-c8p4-x5fp"}, "properties": {"repobilityId": 142037, "scanner": "osv-scanner", "fingerprint": "c341d6229d59fb77d0bea8f33fdb1f70f42177a60607a5c5688e7154da87b577", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44489"], "package": "axios", "rule_id": "GHSA-654m-c8p4-x5fp", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44489|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 142021, "scanner": "repobility-docker", "fingerprint": "3943a29cb780a4c9c5da7b76dda701257f3bd92c429fa5b68e2ad93c4757943a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "orchestrator", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3943a29cb780a4c9c5da7b76dda701257f3bd92c429fa5b68e2ad93c4757943a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 142020, "scanner": "repobility-docker", "fingerprint": "31ef084084c0322fadd73d5857cae51354487154e62e6e21e213e3608809127e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|31ef084084c0322fadd73d5857cae51354487154e62e6e21e213e3608809127e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 142019, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 142018, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 141986, "scanner": "repobility-threat-engine", "fingerprint": "d15f4159202251669249826f5f42a0085b4a517933a2aeeff40589570b7f83fb", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Use the ' + skillName + ' skill to...\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d15f4159202251669249826f5f42a0085b4a517933a2aeeff40589570b7f83fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/skill-installation.helpers.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 141985, "scanner": "repobility-threat-engine", "fingerprint": "8e891435ea10e066de652f6584d4b1ef42649ee91ae853aaeb886ef1d8e8510c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'WARNING: Risk score increased by ' +\n      delta +\n      ' points ('", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e891435ea10e066de652f6584d4b1ef42649ee91ae853aaeb886ef1d8e8510c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/security/risk-trend.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 141984, "scanner": "repobility-threat-engine", "fingerprint": "1d19a0b99bf92ffa4099eb4cde13cec1846ca02092ac091222e08d61eb4770b6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'\\x1b[36m' + border + '\\x1b[0m'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d19a0b99bf92ffa4099eb4cde13cec1846ca02092ac091222e08d61eb4770b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/skill-scanner/scanner.ts"}, "region": {"startLine": 360}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/semantic-conventions` is minor version(s) behind (1.25.1 -> 1.41.1)"}, "properties": {"repobilityId": 141927, "scanner": "repobility-dependency-currency", "fingerprint": "d4d45abf19ebd56ee02dd19cac43c38d7f0558acfdd94835f2f7f92a9182dae5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/semantic-conventions", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.41.1", "correlation_key": "fp|d4d45abf19ebd56ee02dd19cac43c38d7f0558acfdd94835f2f7f92a9182dae5", "current_version": "1.25.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@opentelemetry/sdk-node` is minor version(s) behind (0.52.1 -> 0.218.0)"}, "properties": {"repobilityId": 141925, "scanner": "repobility-dependency-currency", "fingerprint": "23e65b7cd03c25ba06438da418636ed468aac7d587ec037a402816ae688ef15c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/sdk-node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.218.0", "correlation_key": "fp|23e65b7cd03c25ba06438da418636ed468aac7d587ec037a402816ae688ef15c", "current_version": "0.52.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (0.27.7 -> 0.28.0)"}, "properties": {"repobilityId": 141921, "scanner": "repobility-dependency-currency", "fingerprint": "00d0a4da2c965f821846085fa80e60d6c5fa9cd288fb5f8cf444367adc4ba024", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|00d0a4da2c965f821846085fa80e60d6c5fa9cd288fb5f8cf444367adc4ba024", "current_version": "0.27.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.110.0 -> 1.120.0)"}, "properties": {"repobilityId": 141919, "scanner": "repobility-dependency-currency", "fingerprint": "1f0d93ce46cdacab0ee57c746dca98758a81a4b9a14862e499a1c53672d9f8e5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|1f0d93ce46cdacab0ee57c746dca98758a81a4b9a14862e499a1c53672d9f8e5", "current_version": "1.110.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)"}, "properties": {"repobilityId": 141917, "scanner": "repobility-dependency-currency", "fingerprint": "c5c30b1856e55b9ec86bd64df817edc8ae2369aaae5abc55f65ddbcea56ca4ed", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|c5c30b1856e55b9ec86bd64df817edc8ae2369aaae5abc55f65ddbcea56ca4ed", "current_version": "4.21.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/phase4-orchestrator/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)"}, "properties": {"repobilityId": 141914, "scanner": "repobility-dependency-currency", "fingerprint": "4d07a561399f4ca63fe7668a0bf6a1d1cdddd6b8e826965c10460c0e450e6ba6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|4d07a561399f4ca63fe7668a0bf6a1d1cdddd6b8e826965c10460c0e450e6ba6", "current_version": "4.21.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ruflo` is minor version(s) behind (3.5.42 -> 3.10.37)"}, "properties": {"repobilityId": 141913, "scanner": "repobility-dependency-currency", "fingerprint": "63d8a8c81ac3641a1e430804fca5502e4c9f3b571530ef9daecaf2a7145b1046", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ruflo", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.10.37", "correlation_key": "fp|63d8a8c81ac3641a1e430804fca5502e4c9f3b571530ef9daecaf2a7145b1046", "current_version": "3.5.42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `posthog-node` is minor version(s) behind (5.29.2 -> 5.36.3)"}, "properties": {"repobilityId": 141912, "scanner": "repobility-dependency-currency", "fingerprint": "504736dbdfea65d4b3ece8bbd25a564ecb4e01c2fd00a178d3daac1b5c093116", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "posthog-node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.36.3", "correlation_key": "fp|504736dbdfea65d4b3ece8bbd25a564ecb4e01c2fd00a178d3daac1b5c093116", "current_version": "5.29.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (0.27.7 -> 0.28.0)"}, "properties": {"repobilityId": 141904, "scanner": "repobility-dependency-currency", "fingerprint": "7d1803830ad2f99840cd08c7e7755cb508a998a7890b98a79cfa8cdc44c2446d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|7d1803830ad2f99840cd08c7e7755cb508a998a7890b98a79cfa8cdc44c2446d", "current_version": "0.27.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141872, "scanner": "repobility-ai-code-hygiene", "fingerprint": "914892d5500b0351c16d6714c182ce60073e3f4f4e86e916f17a4305bdda249e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/exports/services.ts", "duplicate_line": 104, "correlation_key": "fp|914892d5500b0351c16d6714c182ce60073e3f4f4e86e916f17a4305bdda249e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/webhooks/WebhookPayload.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5f91e4e5079df54d7ff5749a2cfff30c596a56ed84a9899b9fe0a613b3ab99c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/analysis/metrics.implementations.ts", "duplicate_line": 3, "correlation_key": "fp|d5f91e4e5079df54d7ff5749a2cfff30c596a56ed84a9899b9fe0a613b3ab99c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/telemetry/metric-helpers.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "685004806dd6a9cb4ce5088f0b8465bbe32afb6a7dccd5e45d76071f153dab62", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/indexer/GitHubIndexer.ts", "duplicate_line": 5, "correlation_key": "fp|685004806dd6a9cb4ce5088f0b8465bbe32afb6a7dccd5e45d76071f153dab62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/sources/SourceIndexer.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6963b8c47abf58e5e388ccd0d99f191687dd09445be206bf27c673ff29473013", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/sources/GitHubSourceAdapter.ts", "duplicate_line": 1, "correlation_key": "fp|6963b8c47abf58e5e388ccd0d99f191687dd09445be206bf27c673ff29473013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/sources/GitLabSourceAdapter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141868, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e79267554db1ce9a937a24cfe4f2ca4d8706d95930281ea4ef53524db571c21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/indexer/GitHubIndexer.ts", "duplicate_line": 45, "correlation_key": "fp|1e79267554db1ce9a937a24cfe4f2ca4d8706d95930281ea4ef53524db571c21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/sources/GitHubSourceAdapter.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141867, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e85943d71725a98a7b2be7b38f4df7e758c7cef80966a4bbccb6aa33dfa7a2eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/utils/manifest.ts", "duplicate_line": 5, "correlation_key": "fp|e85943d71725a98a7b2be7b38f4df7e758c7cef80966a4bbccb6aa33dfa7a2eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/skill-installation.types.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141866, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b55f23741253dafdcf8951236274c8f85d2b6da15a1fe1b21848d772f3109ad6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/repositories/SkillRepository.ts", "duplicate_line": 7, "correlation_key": "fp|b55f23741253dafdcf8951236274c8f85d2b6da15a1fe1b21848d772f3109ad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/SearchService.types.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141865, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f923ad59dd66681593cbdd541f11633b9d40b400cd39f2c723e0c09fdf9b710", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/repositories/IndexerRepository.ts", "duplicate_line": 24, "correlation_key": "fp|4f923ad59dd66681593cbdd541f11633b9d40b400cd39f2c723e0c09fdf9b710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/SearchService.types.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141864, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb0789c694cd899ce5d29c67843779bf03d12a01fa9d94377bb3fac2c5a3a8cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/repositories/IndexerRepository.ts", "duplicate_line": 136, "correlation_key": "fp|fb0789c694cd899ce5d29c67843779bf03d12a01fa9d94377bb3fac2c5a3a8cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/SearchService.helpers.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141863, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b1ef82611f2962320ae8d86cf24ddbc168f89c943bd9856b19d438692042340", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/db/schema-sql.ts", "duplicate_line": 103, "correlation_key": "fp|2b1ef82611f2962320ae8d86cf24ddbc168f89c943bd9856b19d438692042340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/security/AuditLogger.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141862, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c10f1092af97d087a9607c821eb6be442e635973c72b8ab54d34a9d611df449", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/scripts/validate-skills.ts", "duplicate_line": 4, "correlation_key": "fp|2c10f1092af97d087a9607c821eb6be442e635973c72b8ab54d34a9d611df449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/validation/index.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141861, "scanner": "repobility-ai-code-hygiene", "fingerprint": "936885e96d08d8fc0dab614df19a4f97ed9514faffabc636e650844c78330c2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/scripts/review-lenny-skills.ts", "duplicate_line": 11, "correlation_key": "fp|936885e96d08d8fc0dab614df19a4f97ed9514faffabc636e650844c78330c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/sync-to-supabase.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141860, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4a49c258fd47e8ef27caa69ca58c8597374776b3d548da26c1bfe110c2eda40", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/scripts/github-import/index.ts", "duplicate_line": 27, "correlation_key": "fp|f4a49c258fd47e8ef27caa69ca58c8597374776b3d548da26c1bfe110c2eda40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/import-github-skills.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141859, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea21426a88e2bf269588d7d1327dd37e4f6db34c236cf66dbb60ec8ae77cfbd6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/repositories/IndexerRepository.ts", "duplicate_line": 24, "correlation_key": "fp|ea21426a88e2bf269588d7d1327dd37e4f6db34c236cf66dbb60ec8ae77cfbd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/repositories/SkillRepository.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141858, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e796dbd6d7f76b976fa5b0f39eff7f43be355e02edd1b97738dac54dd75396b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/embeddings/hnsw-store.ts", "duplicate_line": 103, "correlation_key": "fp|e796dbd6d7f76b976fa5b0f39eff7f43be355e02edd1b97738dac54dd75396b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/embeddings/index.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bbb06bdaf5a6cc19c42fef8073235e15b1b7895f4e766bf2b7a2f3e81992c99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/db/migration-types.ts", "duplicate_line": 46, "correlation_key": "fp|9bbb06bdaf5a6cc19c42fef8073235e15b1b7895f4e766bf2b7a2f3e81992c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/db/migration.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 141856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f236d2795fa4a949da0357c40ff00d8e4fd1b9456a47a98c95a55986274f2f4", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "updated", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8f236d2795fa4a949da0357c40ff00d8e4fd1b9456a47a98c95a55986274f2f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/stripe-webhook/handlers/subscription-updated.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 141855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6a21c21daae9364ded77804229fa1dc9d00bcaa9b283ce6c3a8c7f883e9e202", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b6a21c21daae9364ded77804229fa1dc9d00bcaa9b283ce6c3a8c7f883e9e202"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/lib/complete-profile-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source (and 89 more): Same pattern found in 89 additional files. Review if needed."}, "properties": {"repobilityId": 142017, "scanner": "repobility-threat-engine", "fingerprint": "1c6099bc1e442ab3a763094c76615a59f18908348619a175db967ba7034bc848", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 89 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1c6099bc1e442ab3a763094c76615a59f18908348619a175db967ba7034bc848", "aggregated_count": 89}}}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 142016, "scanner": "repobility-threat-engine", "fingerprint": "94e4f4e7f3b3b40ec4370309e216f7e4c2fe997d66435d2130856386442d7852", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94e4f4e7f3b3b40ec4370309e216f7e4c2fe997d66435d2130856386442d7852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/_shared/auth-middleware.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 142015, "scanner": "repobility-threat-engine", "fingerprint": "fdec28fca8c90be7e01610a0aabc19f3543e6db0b71bb32980fa920f5bac8dac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdec28fca8c90be7e01610a0aabc19f3543e6db0b71bb32980fa920f5bac8dac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/_shared/attribution.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 142014, "scanner": "repobility-threat-engine", "fingerprint": "3e47984705c2609b4d2e5f46cd5f90430c6ea46b52ab7121293af574aa63cb14", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e47984705c2609b4d2e5f46cd5f90430c6ea46b52ab7121293af574aa63cb14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/_shared/api-key-auth.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 142013, "scanner": "repobility-threat-engine", "fingerprint": "ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 142012, "scanner": "repobility-threat-engine", "fingerprint": "cd839d86f0e4648d9a5477d77113a10e953a9e77249e03877e03b971a03b18ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd839d86f0e4648d9a5477d77113a10e953a9e77249e03877e03b971a03b18ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/token-delta-harness.mjs"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 142011, "scanner": "repobility-threat-engine", "fingerprint": "f85ac19b11d081525f1c242d91edcec43d3c3277902d0839e427154262c5110e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f85ac19b11d081525f1c242d91edcec43d3c3277902d0839e427154262c5110e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/linear-hook.mjs"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 142010, "scanner": "repobility-threat-engine", "fingerprint": "85a11ada84950e669b3530c3da341aa429750d88e2d467504fca29c102856eea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85a11ada84950e669b3530c3da341aa429750d88e2d467504fca29c102856eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/batch-transform-skills.pipeline.ts"}, "region": {"startLine": 358}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 142008, "scanner": "repobility-threat-engine", "fingerprint": "224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 142003, "scanner": "repobility-threat-engine", "fingerprint": "9663cbbb6338c2f2a38ef8a181799270bd0ec3e9b9a829dfd807c874bea01dcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9663cbbb6338c2f2a38ef8a181799270bd0ec3e9b9a829dfd807c874bea01dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/src/views/skill-panel-script.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 142002, "scanner": "repobility-threat-engine", "fingerprint": "9af64a35c65a2e01d9f5021a18b082a78b8ad5918d0b100eb3d93e4598489926", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9af64a35c65a2e01d9f5021a18b082a78b8ad5918d0b100eb3d93e4598489926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/webhooks/webhook-endpoint.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 142001, "scanner": "repobility-threat-engine", "fingerprint": "b788790f34e608fec4e51d4278972df82f6239734cac60c449ac469eb9981356", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b788790f34e608fec4e51d4278972df82f6239734cac60c449ac469eb9981356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/webhooks/stripe-webhook-endpoint.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 141997, "scanner": "repobility-threat-engine", "fingerprint": "f98b77f926f6c5f774889feeec9175b063c8259b0ec304a9d419ce3f2f006409", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f98b77f926f6c5f774889feeec9175b063c8259b0ec304a9d419ce3f2f006409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/doc-retrieval-mcp/src/_lib/git-fixture-env.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 141991, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 141987, "scanner": "repobility-threat-engine", "fingerprint": "802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 141978, "scanner": "repobility-threat-engine", "fingerprint": "5de0987b84b0dd1858da99ba2b7e105cd743ded0202d2bb4284a89fca2c86ae0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5de0987b84b0dd1858da99ba2b7e105cd743ded0202d2bb4284a89fca2c86ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/routing/SONARouter.helpers.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 141977, "scanner": "repobility-threat-engine", "fingerprint": "07858a0dd31ac85f95ed95bbe2ad6e5c01414bdc2286bcfa4d29ab4c4eaef0e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|07858a0dd31ac85f95ed95bbe2ad6e5c01414bdc2286bcfa4d29ab4c4eaef0e9"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 141972, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 141971, "scanner": "repobility-threat-engine", "fingerprint": "917892e1d75139507b276ab795df1dfcf31a4e3af66ec4bae89bce306f883c9d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|269|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/enterprise/src/audit/AuditLogger.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 141970, "scanner": "repobility-threat-engine", "fingerprint": "16770cb018b89b6d73120d0bd189d3f56da1f048d6c7513c5a54c847c9f1b601", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|39|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/utils.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 141969, "scanner": "repobility-threat-engine", "fingerprint": "25c650a9c8e405ef747d0bd16258bedf330d058446e9db825e74494ac833dccf", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|110|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/client.events.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 141968, "scanner": "repobility-threat-engine", "fingerprint": "8d97181b77d4b75e5396225bcec4e3d04e3a0fe1684a5aa6e07b828a3bb585f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d97181b77d4b75e5396225bcec4e3d04e3a0fe1684a5aa6e07b828a3bb585f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/activation/ZeroConfigActivator.ts"}, "region": {"startLine": 231}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 141967, "scanner": "repobility-threat-engine", "fingerprint": "90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 141963, "scanner": "repobility-threat-engine", "fingerprint": "b2035a80780304e620b60087b426ba3ac5c6c7cc37beacb9e3090ae321c15a3e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b2035a80780304e620b60087b426ba3ac5c6c7cc37beacb9e3090ae321c15a3e", "aggregated_count": 2}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 141962, "scanner": "repobility-threat-engine", "fingerprint": "add63cbd19b44fc4747c9aa6dcc61bdcb8df0b20bb586a4b2e447b7555f93b49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|add63cbd19b44fc4747c9aa6dcc61bdcb8df0b20bb586a4b2e447b7555f93b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/launch-smi627.sh"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 141961, "scanner": "repobility-threat-engine", "fingerprint": "1908b75b179b64c58db7acf37eaf7e875a9c33db1777a4b8b5a74835306fd2cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1908b75b179b64c58db7acf37eaf7e875a9c33db1777a4b8b5a74835306fd2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/templates/readme.md.template.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 141960, "scanner": "repobility-threat-engine", "fingerprint": "f2c94bc373e6c3c61fd70a6abb8991e5af45d5800f5b58de1a9fdbf407fb6ffc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2c94bc373e6c3c61fd70a6abb8991e5af45d5800f5b58de1a9fdbf407fb6ffc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/templates/mcp-server.template.ts"}, "region": {"startLine": 311}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 141959, "scanner": "repobility-threat-engine", "fingerprint": "048dcb74a20c7061a601929c6553e52b7ff4a6c1dd58164cda23c3c557961dc8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|048dcb74a20c7061a601929c6553e52b7ff4a6c1dd58164cda23c3c557961dc8"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 141955, "scanner": "repobility-threat-engine", "fingerprint": "3135b3ae83a831d18dc4de6ec254af37532aedd273e95636989078d478f5577a", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3135b3ae83a831d18dc4de6ec254af37532aedd273e95636989078d478f5577a"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed."}, "properties": {"repobilityId": 141951, "scanner": "repobility-threat-engine", "fingerprint": "51075618d472e9d8d63be3d3f80045f1481a3d880c42ee68373d8f4ecdb3c031", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 58 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|51075618d472e9d8d63be3d3f80045f1481a3d880c42ee68373d8f4ecdb3c031", "aggregated_count": 58}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 141950, "scanner": "repobility-threat-engine", "fingerprint": "41d2e4d6b34dcf79f03f437e6cdecfbacd93e16c5af4dd8e2015fde16c740a16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41d2e4d6b34dcf79f03f437e6cdecfbacd93e16c5af4dd8e2015fde16c740a16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/install-skill.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 141949, "scanner": "repobility-threat-engine", "fingerprint": "6aef8b8aee11e272cf0e6c6dc88294ab493f8e9752e6ad91e1564af96fa955f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6aef8b8aee11e272cf0e6c6dc88294ab493f8e9752e6ad91e1564af96fa955f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/author/transform.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 141948, "scanner": "repobility-threat-engine", "fingerprint": "54d21da197b0e38030f4858cb51fb96713ee0feba269ebb9d112bc5ffefef31d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54d21da197b0e38030f4858cb51fb96713ee0feba269ebb9d112bc5ffefef31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/author/subagent.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 141947, "scanner": "repobility-threat-engine", "fingerprint": "2d84c1fa3f1809d4801d0089e312602767abb0ae8515fefce419706fac4cac74", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2d84c1fa3f1809d4801d0089e312602767abb0ae8515fefce419706fac4cac74"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 141946, "scanner": "repobility-threat-engine", "fingerprint": "e477b08c59d06bc093d15f158c48271165f43e04605215d827c1abf2695a11c7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Failed to get installation token:', response.status, await response.text()", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|15|console.error failed to get installation token: response.status await response.text"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/indexer/_shared/github-auth.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 141945, "scanner": "repobility-threat-engine", "fingerprint": "4bfabae9084628872a06cdc49ce2e086eb885eaa4e1e9111c9ea99cd178ffde7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('LINEAR_API_KEY not set. Skipping drift audit.')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.error linear_api_key not set. skipping drift audit."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit-linear-drift.mjs"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 141943, "scanner": "repobility-threat-engine", "fingerprint": "4fd7a08c8250fc24feafc9d45bd89c52933674789f7e80575d8ccb1efffdc5ea", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4fd7a08c8250fc24feafc9d45bd89c52933674789f7e80575d8ccb1efffdc5ea"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 141939, "scanner": "repobility-threat-engine", "fingerprint": "03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 161 more): Same pattern found in 161 additional files. Review if needed."}, "properties": {"repobilityId": 141935, "scanner": "repobility-threat-engine", "fingerprint": "7f0ea58c666423913b4555e6683ab267bbae8fe3e7d085d36c227314fc18ad66", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 161 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7f0ea58c666423913b4555e6683ab267bbae8fe3e7d085d36c227314fc18ad66", "aggregated_count": 161}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 141934, "scanner": "repobility-threat-engine", "fingerprint": "2b6765e7c9fb235d85c2271d31886973ebbd49a21324537a17d76ea041798f59", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b6765e7c9fb235d85c2271d31886973ebbd49a21324537a17d76ea041798f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/ab-test.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 141933, "scanner": "repobility-threat-engine", "fingerprint": "21300d4b862cc3b65fc6375a35f47cd8781a68b0d0557c6e434b66f6495bf2a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21300d4b862cc3b65fc6375a35f47cd8781a68b0d0557c6e434b66f6495bf2a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api-proxy/api/proxy.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 141932, "scanner": "repobility-threat-engine", "fingerprint": "64cd835a3124be5d5ca15a7f127de68367fc8f32a3b0575e7011a5f1a1ff547e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64cd835a3124be5d5ca15a7f127de68367fc8f32a3b0575e7011a5f1a1ff547e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/github-safe.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 141931, "scanner": "repobility-threat-engine", "fingerprint": "5ca54ab90029902728d161c57b6d45a92251ea1746ca58f27efad90d2ccb4080", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5ca54ab90029902728d161c57b6d45a92251ea1746ca58f27efad90d2ccb4080"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@opentelemetry/api` is patch version(s) behind (1.9.0 -> 1.9.1)"}, "properties": {"repobilityId": 141923, "scanner": "repobility-dependency-currency", "fingerprint": "f57be6303e194f2a6ecd9b83f8cdc6515167d50af96f31fa105565a3b06e0e73", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opentelemetry/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.9.1", "correlation_key": "fp|f57be6303e194f2a6ecd9b83f8cdc6515167d50af96f31fa105565a3b06e0e73", "current_version": "1.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@skillsmith/cli` is patch version(s) behind (^0.6.0 -> 0.6.3)"}, "properties": {"repobilityId": 141922, "scanner": "repobility-dependency-currency", "fingerprint": "df6bf6aa44cfb3f7999ac9c3968e849ab76db9b0b075483919cc0179c2e25d8d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@skillsmith/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.6.3", "correlation_key": "fp|df6bf6aa44cfb3f7999ac9c3968e849ab76db9b0b075483919cc0179c2e25d8d", "current_version": "^0.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/skillsmith-cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitest/coverage-v8` is patch version(s) behind (4.1.6 -> 4.1.8)"}, "properties": {"repobilityId": 141907, "scanner": "repobility-dependency-currency", "fingerprint": "827b9b906e81ef7a2f83e9d98c7c7472d6a99d3f855ce85012573e4645f940a8", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|827b9b906e81ef7a2f83e9d98c7c7472d6a99d3f855ce85012573e4645f940a8", "current_version": "4.1.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@claude-flow/aidefence` is patch version(s) behind (3.0.2 -> 3.0.3)"}, "properties": {"repobilityId": 141903, "scanner": "repobility-dependency-currency", "fingerprint": "6184cd3a28eb443ea32dd9e218c2fe31d948a9eed28fa18bd43d0f27d7843d65", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@claude-flow/aidefence", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.3", "correlation_key": "fp|6184cd3a28eb443ea32dd9e218c2fe31d948a9eed28fa18bd43d0f27d7843d65", "current_version": "3.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 142059, "scanner": "repobility-journey-contract", "fingerprint": "a00f79fd0a79bfb5aac1c136d13e826952b5f589864962cadc87fb1ef5b90272", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|15|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/quarantine/QuarantineService.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 142054, "scanner": "osv-scanner", "fingerprint": "98d9d97f3f550caba1f6df39b82415945caad2b866cb40a32a12f4041deb865a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MAL-2026-5187", "level": "error", "message": {"text": "supabase: MAL-2026-5187"}, "properties": {"repobilityId": 142053, "scanner": "osv-scanner", "fingerprint": "5226f0094c10a29f7cd504c755d34d850023a1820787808193a7837cf0c906f6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["GHSA-x96m-c5fj-q75c"], "package": "supabase", "rule_id": "MAL-2026-5187", "scanner": "osv-scanner", "correlation_key": "vuln|supabase|GHSA-X96M-C5FJ-Q75C|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 142043, "scanner": "osv-scanner", "fingerprint": "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 142042, "scanner": "osv-scanner", "fingerprint": "db661ef3efd6ae15f09e8cb75e1d440d922b39de4793cfc737ed0754eca534ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 142041, "scanner": "osv-scanner", "fingerprint": "ed7033fc0c9299b56ea00c92631f81ed72ec873142f864f792ab8b0cede67c2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 142040, "scanner": "osv-scanner", "fingerprint": "3a1a1d65de131fd423fbc959231b59156b65c45d65668fe2f857f475aba62a80", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 142038, "scanner": "osv-scanner", "fingerprint": "59a250c97b1e71652419bc7d1715d1574255c84ea0b98401688c8d00b7cdd35b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 142036, "scanner": "osv-scanner", "fingerprint": "3588119f3e3a3569888076b3b7dda23c8c3a97e0038f21a03c294eba6757dbf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q7rr-3cgh-j5r3", "level": "error", "message": {"text": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3"}, "properties": {"repobilityId": 142035, "scanner": "osv-scanner", "fingerprint": "2b44f542c264c0b8cd1951dc2799c97d6826cb354ef1cdd2fa3ed8d1c4b0e2b2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44902"], "package": "@opentelemetry/sdk-node", "rule_id": "GHSA-q7rr-3cgh-j5r3", "scanner": "osv-scanner", "correlation_key": "vuln|opentelemetry/sdk-node|CVE-2026-44902|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 142004, "scanner": "repobility-threat-engine", "fingerprint": "e62d413687dc0391e3ee844423650c81e4054f8c766dd793399d7e151c4796b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.delete(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e62d413687dc0391e3ee844423650c81e4054f8c766dd793399d7e151c4796b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/webhooks/webhook-helpers.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 142000, "scanner": "repobility-threat-engine", "fingerprint": "30dfa9dac200c66ae5ef53845c1aa6103b985824fe1e79eca49c369f7382f16c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30dfa9dac200c66ae5ef53845c1aa6103b985824fe1e79eca49c369f7382f16c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/phase4-orchestrator/orchestrator.ts"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 141999, "scanner": "repobility-threat-engine", "fingerprint": "bc2766797192a7ac5e189428bf952a2d9a413f428d83b885caea5a86efb3ae60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc2766797192a7ac5e189428bf952a2d9a413f428d83b885caea5a86efb3ae60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/suggestions/suggestion-engine.ts"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 141993, "scanner": "repobility-threat-engine", "fingerprint": "049a1c7c336f18636368e19984f685f4be6ee330ade518009640391f77434cf5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|049a1c7c336f18636368e19984f685f4be6ee330ade518009640391f77434cf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/suggestions/suggestion-engine.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 141992, "scanner": "repobility-threat-engine", "fingerprint": "11ce6cbdbdca2ea6d17db87a93bb23500d21fd2cfd892336567e447bc25da5bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11ce6cbdbdca2ea6d17db87a93bb23500d21fd2cfd892336567e447bc25da5bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/sync/BackgroundSyncService.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 141983, "scanner": "repobility-threat-engine", "fingerprint": "3345864d888c0083fb471f697066914650fbd5499c3e72a9e3edc5d88068b38a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3345864d888c0083fb471f697066914650fbd5499c3e72a9e3edc5d88068b38a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/indexer/_shared/github-auth.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 141982, "scanner": "repobility-threat-engine", "fingerprint": "05b9015e8025987b41a19e07b4bd32b40c99f17b92e800a2759bc4be07d5fc4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05b9015e8025987b41a19e07b4bd32b40c99f17b92e800a2759bc4be07d5fc4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/github-import/github-auth.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 141981, "scanner": "repobility-threat-engine", "fingerprint": "82efd86ead059fabaeabccede645a83572d86880df7447cd1ba9479e99f33429", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82efd86ead059fabaeabccede645a83572d86880df7447cd1ba9479e99f33429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/doc-retrieval-mcp/src/indexer.helpers.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 141980, "scanner": "repobility-threat-engine", "fingerprint": "e728a9d66a5f200c9d04d8c0342e52a473bbab33e18d77e75ec532ff5fea5f8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e728a9d66a5f200c9d04d8c0342e52a473bbab33e18d77e75ec532ff5fea5f8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/validation/normalizers.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 141979, "scanner": "repobility-threat-engine", "fingerprint": "af1da4de56caac78ce58f084df0123125d67c09aef1a0dacae806043ada0f9e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af1da4de56caac78ce58f084df0123125d67c09aef1a0dacae806043ada0f9e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/scripts/github-import/deduplication.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 141973, "scanner": "repobility-threat-engine", "fingerprint": "4f4ae976c30e338eca0e80391fe7752cfd8418a8c59fb00a2e7b6aac9a434e47", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InZyY256cG1uZHRyb3F4eG9xa3p5Iiw", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|11|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/utils.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 141966, "scanner": "repobility-threat-engine", "fingerprint": "1e6eb7bd1bdc223d6c8d7e944796da6b7790a7dc7220931b4735f96d6b2abd3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e6eb7bd1bdc223d6c8d7e944796da6b7790a7dc7220931b4735f96d6b2abd3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/indexer/SkillParser.ts"}, "region": {"startLine": 315}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 141965, "scanner": "repobility-threat-engine", "fingerprint": "6aee5c54357c979ff5b9beee1a7330688a551e8ca9aee79df502d6d0dd82f642", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegExp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6aee5c54357c979ff5b9beee1a7330688a551e8ca9aee79df502d6d0dd82f642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/cache.ts"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 141964, "scanner": "repobility-threat-engine", "fingerprint": "9677fdbfc307530cbf681d0f9eba1f9d57239b1f44f8c3f8bc3e088708ab66d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapedHome", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9677fdbfc307530cbf681d0f9eba1f9d57239b1f44f8c3f8bc3e088708ab66d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/sanitize.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141958, "scanner": "repobility-threat-engine", "fingerprint": "f1a62bdc507d596e07346587f9d90aee8a943f8bf60dfee295697317e1a62c76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.cache.delete(filePath)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1a62bdc507d596e07346587f9d90aee8a943f8bf60dfee295697317e1a62c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/analysis/cache.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141957, "scanner": "repobility-threat-engine", "fingerprint": "7728cc1afce12891b9f02e5bfdf416d656d16559104c0a26dd136ee1e1d09d80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.undoSnapshots.delete(undoToken)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7728cc1afce12891b9f02e5bfdf416d656d16559104c0a26dd136ee1e1d09d80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/activation/ActivationManager.ts"}, "region": {"startLine": 231}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141956, "scanner": "repobility-threat-engine", "fingerprint": "bea318d0b209a06c4c388b92b3ca1fa4cfe244187a25b93e8331e69490e4a035", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "repo.update(record.id, input)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bea318d0b209a06c4c388b92b3ca1fa4cfe244187a25b93e8331e69490e4a035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/import-local.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 141944, "scanner": "repobility-threat-engine", "fingerprint": "d41cf4ee9c2d7e5e0e31c5b38e30a96c0e9b8a603e379491701ba71ab01586b8", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`    Token reduction: ${result.stats.tokenReductionPercent}%`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|35|console.log token reduction: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/batch-transform-skills.pipeline.ts"}, "region": {"startLine": 358}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 141942, "scanner": "repobility-threat-engine", "fingerprint": "90d4cf5b2765721f2b8b95a54cb183cc1c3a7996fe7663de722f429fcebd9ed1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p) => `\"${p}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90d4cf5b2765721f2b8b95a54cb183cc1c3a7996fe7663de722f429fcebd9ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/templates/subagent.md.template.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 141941, "scanner": "repobility-threat-engine", "fingerprint": "47ed59d7d1eabfb6b92b69bcbd9bef5358ae6f00e175081293fa444c5074399c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p) => `${p.name}: args.${p.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47ed59d7d1eabfb6b92b69bcbd9bef5358ae6f00e175081293fa444c5074399c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/templates/mcp-template-handlers.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 141940, "scanner": "repobility-threat-engine", "fingerprint": "65901a01bab401fcac905738fd0ac7e81f987326987c863c7638377a85ea3614", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([ext, count]) => `${ext}: ${count}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65901a01bab401fcac905738fd0ac7e81f987326987c863c7638377a85ea3614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/analyze.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 141938, "scanner": "repobility-threat-engine", "fingerprint": "9f73656e31a474e91dc53e51853f29dca3688ad7c12cce09d9cc89d167e6c210", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f73656e31a474e91dc53e51853f29dca3688ad7c12cce09d9cc89d167e6c210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/repositories/SkillRepository.ts"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 141937, "scanner": "repobility-threat-engine", "fingerprint": "7a851e0d435413a38e93244426c7b11b44a13638877a7f36afe95aef2edb39c8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a851e0d435413a38e93244426c7b11b44a13638877a7f36afe95aef2edb39c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/diff.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 141936, "scanner": "repobility-threat-engine", "fingerprint": "bdaa526a31053be85ffe5b6664cdaa033ae731998a8e8f3c0a1c368239957873", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdaa526a31053be85ffe5b6664cdaa033ae731998a8e8f3c0a1c368239957873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api-proxy/api/proxy.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 141930, "scanner": "repobility-threat-engine", "fingerprint": "3b0d450dae2810f281ecce9b6c606a4ae68278fac5dd413d0b9a4c2928968502", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b0d450dae2810f281ecce9b6c606a4ae68278fac5dd413d0b9a4c2928968502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/analysis/McpReferenceExtractor.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 141929, "scanner": "repobility-threat-engine", "fingerprint": "ef867c671645b4318a7b89b95d9dc236ecfd4c8e814636cf67c3b570cb57649b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef867c671645b4318a7b89b95d9dc236ecfd4c8e814636cf67c3b570cb57649b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/diff.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 141928, "scanner": "repobility-threat-engine", "fingerprint": "023e6d3717127bf3b666a6a51e2b1abce86a1491bc3746b7ff31aa3b5773b949", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(ghCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|023e6d3717127bf3b666a6a51e2b1abce86a1491bc3746b7ff31aa3b5773b949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/github-safe.js"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "properties": {"repobilityId": 141874, "scanner": "repobility-supply-chain", "fingerprint": "48c6f99fbfaf2863c143886ede19424c759c1b0937685bd3a50e69d2109bda29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48c6f99fbfaf2863c143886ede19424c759c1b0937685bd3a50e69d2109bda29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /items/ has no auth"}, "properties": {"repobilityId": 141873, "scanner": "repobility-route-auth", "fingerprint": "8959fd43e27b09e2c2f00991b09bf85ede6cbe34a05f785a8402a7568d5f82ea", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8959fd43e27b09e2c2f00991b09bf85ede6cbe34a05f785a8402a7568d5f82ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/analysis/adapters/__tests__/python.test.ts"}, "region": {"startLine": 543}}}]}, {"ruleId": "GHSA-gc25-3vc5-2jf9", "level": "error", "message": {"text": "sandbox: GHSA-gc25-3vc5-2jf9"}, "properties": {"repobilityId": 142051, "scanner": "osv-scanner", "fingerprint": "f6e825bb38b8796806f2847bac567bf7bec02f0439c16925ca0ada547b939fc1", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "sandbox", "rule_id": "GHSA-gc25-3vc5-2jf9", "scanner": "osv-scanner", "correlation_key": "vuln|sandbox|GHSA-GC25-3VC5-2JF9|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142034, "scanner": "gitleaks", "fingerprint": "1798634b5cd59e05ee1e997b9868f4ceffd4122ca58191d7f88ad0ffd89f5c1e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|token|5|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/middleware.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142033, "scanner": "gitleaks", "fingerprint": "d5d5b14ac67268ca080ca03744e2fe003aa8477d67fff4dea325958fbff5b626", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|token|2|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/middleware.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142032, "scanner": "gitleaks", "fingerprint": "542d7d3bdfa6569d6cb3e5d0ba6a6b928696ca53599b0079b0b01b25264f455f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|token|28|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/tools/get-skill.ts"}, "region": {"startLine": 287}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142031, "scanner": "gitleaks", "fingerprint": "56730c93254e32897f0847677d24a71832649eac3ffd6576a24f790e1d17281b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|token|20|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/tools/get-skill.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142030, "scanner": "gitleaks", "fingerprint": "d12d76f086629531b4e15b2c875fbcf8d314a58b5bc8ea75c146d73b2ec3d612", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|12|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["vercel-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["d12d76f086629531b4e15b2c875fbcf8d314a58b5bc8ea75c146d73b2ec3d612", "ff03af489de1f9b20e5908da0aea50b42b00d4ecc2b6360714405fd0de8cc4f7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 122}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142029, "scanner": "gitleaks", "fingerprint": "932381d89a48475d9d2f894a5c57472f1ca346c7b39d9a3943f1962eb373c94b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|11|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 118}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142028, "scanner": "gitleaks", "fingerprint": "a4e4a22531a5175ccb9592ee46964f69e9c3e0c41a7980187a23ea7466e35ac6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|10|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 101}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142027, "scanner": "gitleaks", "fingerprint": "dfa6cef1a292d5ebe03f45f80bb46c6a5e397e1007be7cd0f23ea72260b8229a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|9|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 98}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142026, "scanner": "gitleaks", "fingerprint": "6abfe87d2a459d5e2ac0d8eada1c5cc4c6023ea7ac98710f541c2b3b2b3a6590", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|5|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["vercel-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["405fded54d3669711feb530dc36bc7787fffce4a67ae4cce6e0f906a05cb580d", "6abfe87d2a459d5e2ac0d8eada1c5cc4c6023ea7ac98710f541c2b3b2b3a6590"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 53}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142025, "scanner": "gitleaks", "fingerprint": "9256fed936586d2113e0f9a51223aa75a486301d8996815c3cfe195b3f50fdd3", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|packages/core/changelog.md|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/CHANGELOG.md"}, "region": {"startLine": 10}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142024, "scanner": "gitleaks", "fingerprint": "d97300a5b22c589bd1796db504cd5cbd29a05cb255915b40e337f961ce63df5e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|.github/workflows/ci.yml|134|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1343}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142023, "scanner": "gitleaks", "fingerprint": "bc79b635553e5b5b6f06974c2c5b16a41bc253949ad603dd5c6779d47cd83682", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|. token|49|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/development/deployment-guide.md"}, "region": {"startLine": 493}}}]}, {"ruleId": "vercel-token", "level": "error", "message": {"text": "Vercel Token"}, "properties": {"repobilityId": 142022, "scanner": "gitleaks", "fingerprint": "9db08d4d666779d331b90a79467e72f766288a776ced52f9e7690682946018ca", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "vercel-token", "scanner": "gitleaks", "detector": "vercel-token", "correlation_key": "secret|claude.md|27|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CLAUDE.md"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 142009, "scanner": "repobility-threat-engine", "fingerprint": "41ead8259d85a961434181259f3fc75b29dcff447d3fd516a858f2947ddaacb6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41ead8259d85a961434181259f3fc75b29dcff447d3fd516a858f2947ddaacb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/apply-075-audit-logs-index.sh"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 141995, "scanner": "repobility-threat-engine", "fingerprint": "92b941434e86338ef701b80315290e917c0845e1a7905949bdebecbe5bcb29fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92b941434e86338ef701b80315290e917c0845e1a7905949bdebecbe5bcb29fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/telemetry/tracer-imports.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 141994, "scanner": "repobility-threat-engine", "fingerprint": "52fc664d2a2fccfbc6c631bd52c8fa5d765c7bc9719b0bf3b9d2b90a121abce7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52fc664d2a2fccfbc6c631bd52c8fa5d765c7bc9719b0bf3b9d2b90a121abce7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/telemetry/metric-helpers.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "Hardcoded Slack webhook URL in source"}, "properties": {"repobilityId": 141902, "scanner": "repobility-supply-chain", "fingerprint": "78f40607f8222842783ba118972bf1dadb8c6a25ead00dd0e84660d2f323b714", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78f40607f8222842783ba118972bf1dadb8c6a25ead00dd0e84660d2f323b714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/enterprise/src/audit/scheduled-scan.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "Hardcoded Slack webhook URL in source"}, "properties": {"repobilityId": 141901, "scanner": "repobility-supply-chain", "fingerprint": "2099848aaec68f3f1b24571f8d92f0e0849761d8a9664b642b81d757e97d18ff", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2099848aaec68f3f1b24571f8d92f0e0849761d8a9664b642b81d757e97d18ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/enterprise/tests/audit/scheduled-scan.test.ts"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "Hardcoded Slack webhook URL in source"}, "properties": {"repobilityId": 141900, "scanner": "repobility-supply-chain", "fingerprint": "43d007495a043576d813b090fe4780a816a4a9fff48db5a0849b3034a7fc33b0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43d007495a043576d813b090fe4780a816a4a9fff48db5a0849b3034a7fc33b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/enterprise/tests/audit/scheduled-scan.test.ts"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141899, "scanner": "repobility-supply-chain", "fingerprint": "992a043773e8f07474c9f21272125d0ab84f40e0fc5080f2ae79175d9f3bdb41", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|992a043773e8f07474c9f21272125d0ab84f40e0fc5080f2ae79175d9f3bdb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1200}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 141898, "scanner": "repobility-supply-chain", "fingerprint": "93e75e19b119df73ab0fcd6b7076525be845ea74b83807747dda797da4276576", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93e75e19b119df73ab0fcd6b7076525be845ea74b83807747dda797da4276576"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1177}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141897, "scanner": "repobility-supply-chain", "fingerprint": "1492d97f351853e9ec1ef019c3991763ef07adde52f50c38a913f547e7f7d760", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1492d97f351853e9ec1ef019c3991763ef07adde52f50c38a913f547e7f7d760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1061}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141896, "scanner": "repobility-supply-chain", "fingerprint": "25c754669cb714af4c97caead352e491c0da0f2b91e07be1bfceee4b827aa436", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25c754669cb714af4c97caead352e491c0da0f2b91e07be1bfceee4b827aa436"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1058}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141895, "scanner": "repobility-supply-chain", "fingerprint": "2b439874a8b50092f4a6f31fcf0e16a638f6c7de719e816efce2c15b2de26462", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b439874a8b50092f4a6f31fcf0e16a638f6c7de719e816efce2c15b2de26462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1009}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141894, "scanner": "repobility-supply-chain", "fingerprint": "d290831498819c4e8ef447e6f805e5d258183b589305d03fd7d37b17e3f0b6ea", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d290831498819c4e8ef447e6f805e5d258183b589305d03fd7d37b17e3f0b6ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 1006}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141893, "scanner": "repobility-supply-chain", "fingerprint": "95b059ac5295438e8843e1aed15cb2c67b13bda192e4164878b28ed9d0cc863f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95b059ac5295438e8843e1aed15cb2c67b13bda192e4164878b28ed9d0cc863f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 737}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141892, "scanner": "repobility-supply-chain", "fingerprint": "948987babc1a29a9dfc17e18c31032da50f5ae555653ed5e3264439526ca736c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|948987babc1a29a9dfc17e18c31032da50f5ae555653ed5e3264439526ca736c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 734}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SUPABASE_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 141891, "scanner": "repobility-supply-chain", "fingerprint": "9f2dc93eca183e961289d240bbf523b26c2759ffed2a706f87389404e3b46e95", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f2dc93eca183e961289d240bbf523b26c2759ffed2a706f87389404e3b46e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 590}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141890, "scanner": "repobility-supply-chain", "fingerprint": "a8b02c64c4697d28b02674e324df5333c3a4247ae84bd0a25f7a3fd758954d97", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8b02c64c4697d28b02674e324df5333c3a4247ae84bd0a25f7a3fd758954d97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 491}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141889, "scanner": "repobility-supply-chain", "fingerprint": "a2b0c5bdbb5b1769810974c711802813d442386bdeb519ed056382e4e8a5b8b4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2b0c5bdbb5b1769810974c711802813d442386bdeb519ed056382e4e8a5b8b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 488}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141888, "scanner": "repobility-supply-chain", "fingerprint": "dfc3120f1827eac7baab3191f7b705e11cd4d7ceb77ff7a2033fcb5b58b0471e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfc3120f1827eac7baab3191f7b705e11cd4d7ceb77ff7a2033fcb5b58b0471e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/concurrency-audit-pr.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.STRATEGY_SUBMODULE_PAT` on a `pull_request` trigger"}, "properties": {"repobilityId": 141887, "scanner": "repobility-supply-chain", "fingerprint": "e1d56af526e84ef7676ce1913ecbf9aa9f3b2d0ed9c98e685008d21bc252af97", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1d56af526e84ef7676ce1913ecbf9aa9f3b2d0ed9c98e685008d21bc252af97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/concurrency-audit-pr.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.LINEAR_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141886, "scanner": "repobility-supply-chain", "fingerprint": "447457dd9d9e471d1dee163133b9603ee28277aa6c7c4bd69f268f165332d79b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|447457dd9d9e471d1dee163133b9603ee28277aa6c7c4bd69f268f165332d79b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 534}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141885, "scanner": "repobility-supply-chain", "fingerprint": "8d5a11c4ec070cfcc347c0df697dc538f92b1986000e9d193cd28c8f86fc3cde", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d5a11c4ec070cfcc347c0df697dc538f92b1986000e9d193cd28c8f86fc3cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141884, "scanner": "repobility-supply-chain", "fingerprint": "76143773a4f429371350d4410365837da9a4884a701119148acab2f9b07db0c2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76143773a4f429371350d4410365837da9a4884a701119148acab2f9b07db0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 475}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.LINEAR_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141883, "scanner": "repobility-supply-chain", "fingerprint": "a2da363ad7f5e2f18c1dc603554a4710dd911f996fd670aff585a1b6c0fe40f5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2da363ad7f5e2f18c1dc603554a4710dd911f996fd670aff585a1b6c0fe40f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141882, "scanner": "repobility-supply-chain", "fingerprint": "af3214097a89d5250a41312428643fac450fb007795e9b25ca190cb875c90533", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af3214097a89d5250a41312428643fac450fb007795e9b25ca190cb875c90533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141881, "scanner": "repobility-supply-chain", "fingerprint": "ed97fddf391a756ee96f5b772e51aca87fb10f02acb13bf65d37c857a445e322", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed97fddf391a756ee96f5b772e51aca87fb10f02acb13bf65d37c857a445e322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 350}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141880, "scanner": "repobility-supply-chain", "fingerprint": "74ead4ed8b0376ffd56214bd1f7bd66fe23a9a34034eca3bf4ca01d2cb3be275", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74ead4ed8b0376ffd56214bd1f7bd66fe23a9a34034eca3bf4ca01d2cb3be275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141879, "scanner": "repobility-supply-chain", "fingerprint": "c8f99967e19ed156dd6d500da178d5dc63d0626f8d261f09a53b7154ce0ac1bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8f99967e19ed156dd6d500da178d5dc63d0626f8d261f09a53b7154ce0ac1bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141878, "scanner": "repobility-supply-chain", "fingerprint": "6de6af1f98ec55f917fb6ad2e41d929356d2438370a9d10b5c4c9f1b9501a501", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6de6af1f98ec55f917fb6ad2e41d929356d2438370a9d10b5c4c9f1b9501a501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141877, "scanner": "repobility-supply-chain", "fingerprint": "ff8f771a19dadc17a8ce77f4f06cbf737ac4096abfa9b61926c519b16dbb653c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff8f771a19dadc17a8ce77f4f06cbf737ac4096abfa9b61926c519b16dbb653c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141876, "scanner": "repobility-supply-chain", "fingerprint": "811ae46e458d53978b059d5c10c875896f4bc4ea732a8d8aa8af5a145db4150f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|811ae46e458d53978b059d5c10c875896f4bc4ea732a8d8aa8af5a145db4150f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GIT_CRYPT_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 141875, "scanner": "repobility-supply-chain", "fingerprint": "a6960ad4cdfaa32fdd80fa7925521e49e6be3a07602e4c89634393b4cff57757", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6960ad4cdfaa32fdd80fa7925521e49e6be3a07602e4c89634393b4cff57757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 63}}}]}]}]}