{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /mcp."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 44.4% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 44.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `dorny/test-reporter` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `dorny/test-reporter` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: dorny/test-reporter@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:24.2.0-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:24.2.0-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:24.2.0-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /messages has no auth", "shortDescription": {"text": "Express POST /messages has no auth"}, "fullDescription": {"text": "Express route POST /messages declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/239"}, "properties": {"repository": "Flux159/mcp-server-kubernetes", "repoUrl": "https://github.com/Flux159/mcp-server-kubernetes", "branch": "main"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /mcp."}, "properties": {"repobilityId": 45913, "scanner": "repobility-access-control", "fingerprint": "763dd02af5617841f617a2939834f2921d74b1e198cf8ae7d974db734c037d3c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|120|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 45856, "scanner": "repobility-threat-engine", "fingerprint": "e12c3fcd9cdf12d09447bd2ef6935f6806f77cd650509b873eb3082555ebc5fb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server {\n  const app = express();\n  app.use(express.json());\n\n  // Create auth middleware - whe", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e12c3fcd9cdf12d09447bd2ef6935f6806f77cd650509b873eb3082555ebc5fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 7681, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /sse."}, "properties": {"repobilityId": 7680, "scanner": "repobility-access-control", "fingerprint": "dd38ca5d54ca780af8997b3d50dae9311fb54a3be7bde3b54014a9f9594615f5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/sse", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/utils/sse.ts|16|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/sse.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /mcp."}, "properties": {"repobilityId": 7679, "scanner": "repobility-access-control", "fingerprint": "bcc10f7e141879560fd226e18ca32c49aaa0bc555961d5f809c20b2306cffa8f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|74|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /mcp."}, "properties": {"repobilityId": 7678, "scanner": "repobility-access-control", "fingerprint": "b336307d8a4a05774fe0530d54794a1bfc9fabb3699e3756732e3647b131f39c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|14|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 7677, "scanner": "repobility-access-control", "fingerprint": "be0ceec9aa6681a510d5d57aded51e5247a26f45b7b137554b5e9392e5e76636", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 9, "correlation_key": "fp|be0ceec9aa6681a510d5d57aded51e5247a26f45b7b137554b5e9392e5e76636", "auth_visible_percent": 44.4}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 7676, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 7675, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 7673, "scanner": "repobility-docker", "fingerprint": "a445628df964a57fe8c56a7f40e216827de166f4cb6256761431f9c66232f708", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a445628df964a57fe8c56a7f40e216827de166f4cb6256761431f9c66232f708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 7668, "scanner": "repobility-threat-engine", "fingerprint": "906ed5a87aaaba7bdc0aa7c47f64988ef320d119d986f0cb53e06e549d54e28a", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|src/tools/kubectl-get.ts|504|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-get.ts"}, "region": {"startLine": 504}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7666, "scanner": "repobility-agent-runtime", "fingerprint": "33dad1aebbfc5b60f6877623321d217add93d74ea492e7d2df34bf6d8bf9cf81", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|33dad1aebbfc5b60f6877623321d217add93d74ea492e7d2df34bf6d8bf9cf81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/templates/networkpolicy.yaml"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7665, "scanner": "repobility-agent-runtime", "fingerprint": "cc8431b4a84fed9734586038ccbe7dd0115cc27aaa20c2f2ac2242f19f36ca02", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cc8431b4a84fed9734586038ccbe7dd0115cc27aaa20c2f2ac2242f19f36ca02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/templates/networkpolicy-tests.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7664, "scanner": "repobility-agent-runtime", "fingerprint": "7ecd16dcd05b1dc5efd02df562c6e66842559ebb3bc668f027220a69aba1f747", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7ecd16dcd05b1dc5efd02df562c6e66842559ebb3bc668f027220a69aba1f747"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/templates/deployment.yaml"}, "region": {"startLine": 95}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7663, "scanner": "repobility-agent-runtime", "fingerprint": "0b69a56d9fb5a59bcd9d2705585833732241f9fce46ba6857c95ed615493a692", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0b69a56d9fb5a59bcd9d2705585833732241f9fce46ba6857c95ed615493a692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/examples/secure-networkpolicy.yaml"}, "region": {"startLine": 84}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7662, "scanner": "repobility-agent-runtime", "fingerprint": "e687e36cb7280e79785340f57d847696f50dad2e56c1a8f548943abd1a75b675", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e687e36cb7280e79785340f57d847696f50dad2e56c1a8f548943abd1a75b675"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/examples/generic-kubeconfig.yaml"}, "region": {"startLine": 134}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7661, "scanner": "repobility-agent-runtime", "fingerprint": "d7be9f594ee511822201b1f0a625eb59bcab5f038ba5722971938b572942ce69", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d7be9f594ee511822201b1f0a625eb59bcab5f038ba5722971938b572942ce69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helm-chart/examples/custom-kubeconfig.yaml"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7660, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e239fae5c349ac1d62e9f540992af21f30474dc96c56aceeabdb7addb9cce94", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/utils/sse.ts", "duplicate_line": 25, "correlation_key": "fp|1e239fae5c349ac1d62e9f540992af21f30474dc96c56aceeabdb7addb9cce94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7654, "scanner": "repobility-ai-code-hygiene", "fingerprint": "727aaf0f3f21d8cf2e6250aefa180fd92b7fbfde71d8bf63347a6c7f7e9932b4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-describe.ts", "duplicate_line": 67, "correlation_key": "fp|727aaf0f3f21d8cf2e6250aefa180fd92b7fbfde71d8bf63347a6c7f7e9932b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-generic.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b14a9d09781a800b060a76fb22906ba74b39436b207193e7ba1634a3998fceb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/utils/sse.ts", "duplicate_line": 25, "correlation_key": "fp|b14a9d09781a800b060a76fb22906ba74b39436b207193e7ba1634a3998fceb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a2af46727251ea9e34c6cd37fd68a25280d21099fd9550a24464c1a5170c9fd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-describe.ts", "duplicate_line": 67, "correlation_key": "fp|a2af46727251ea9e34c6cd37fd68a25280d21099fd9550a24464c1a5170c9fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-generic.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 7674, "scanner": "repobility-docker", "fingerprint": "6156a9e38005fa1db7bf224d6d6039922f0a7289ced82774e7446cc165b9e687", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6156a9e38005fa1db7bf224d6d6039922f0a7289ced82774e7446cc165b9e687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 7672, "scanner": "repobility-docker", "fingerprint": "a9fb2240e0549c7e385ad6b7fe688dc8b84aead5a115cc012e449ef5d5706bab", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a9fb2240e0549c7e385ad6b7fe688dc8b84aead5a115cc012e449ef5d5706bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 7671, "scanner": "repobility-docker", "fingerprint": "580c5e0652ac8b5bface2cb49a9cb00187ad4ed928d711fcdf7c1598408be24c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|580c5e0652ac8b5bface2cb49a9cb00187ad4ed928d711fcdf7c1598408be24c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 7670, "scanner": "repobility-docker", "fingerprint": "856b68d9ec35c097065e508a6c629556126ef8ff177e97fcc1951d487fdfda9e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|856b68d9ec35c097065e508a6c629556126ef8ff177e97fcc1951d487fdfda9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7659, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07ca0f62c3105b850742fb3d09111ca7b6e55c74adb70850b4e0777f911a48ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-describe.ts", "duplicate_line": 62, "correlation_key": "fp|07ca0f62c3105b850742fb3d09111ca7b6e55c74adb70850b4e0777f911a48ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-scale.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7658, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1453295d3745599ec55e8ff218b3fc8df2488ff8abb0141e96d55706415adfc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-describe.ts", "duplicate_line": 66, "correlation_key": "fp|1453295d3745599ec55e8ff218b3fc8df2488ff8abb0141e96d55706415adfc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-rollout.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7657, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47389654631ae7bda64f198cbfec3fe688486ef0eb674cf7e1bbb8f4d828f4f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-apply.ts", "duplicate_line": 79, "correlation_key": "fp|47389654631ae7bda64f198cbfec3fe688486ef0eb674cf7e1bbb8f4d828f4f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-patch.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7656, "scanner": "repobility-ai-code-hygiene", "fingerprint": "51a5eda0ca98f000b43fddb811ff24fee8cd4b4e12219862d7aa85458a880c76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/index.ts", "duplicate_line": 269, "correlation_key": "fp|51a5eda0ca98f000b43fddb811ff24fee8cd4b4e12219862d7aa85458a880c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-logs.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7655, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45dc961249fbd25cdd633d54b328be66c674f185d4f3408731e266e391c732e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-delete.ts", "duplicate_line": 172, "correlation_key": "fp|45dc961249fbd25cdd633d54b328be66c674f185d4f3408731e266e391c732e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-get.ts"}, "region": {"startLine": 217}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7653, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0496ab552bf248e804a75aecd26feb3e01461630e168f5c8e9d486aa9663f67e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-delete.ts", "duplicate_line": 172, "correlation_key": "fp|0496ab552bf248e804a75aecd26feb3e01461630e168f5c8e9d486aa9663f67e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-describe.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7652, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ba458fbc52f5a1da9b3b6b0c452b556c01d10af02bc92fe69fb1de1ed06afe8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-apply.ts", "duplicate_line": 79, "correlation_key": "fp|7ba458fbc52f5a1da9b3b6b0c452b556c01d10af02bc92fe69fb1de1ed06afe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-delete.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7651, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bafacbba0a2de4f0dfe37e1d0daa3ba6731ad55bf3307dcabed7beb5a5898102", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/tools/kubectl-apply.ts", "duplicate_line": 80, "correlation_key": "fp|bafacbba0a2de4f0dfe37e1d0daa3ba6731ad55bf3307dcabed7beb5a5898102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-create.ts"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 45855, "scanner": "repobility-threat-engine", "fingerprint": "7e3019629d841557b4e7ab1b64824267752ae258515b03f9fc9d81e5091597bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e3019629d841557b4e7ab1b64824267752ae258515b03f9fc9d81e5091597bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/streamable-http.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 45854, "scanner": "repobility-threat-engine", "fingerprint": "9ef0e802cb16d05e3de54d7cd9ab26d6bfa5fb3ee3cb3675968dd5373b562330", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ef0e802cb16d05e3de54d7cd9ab26d6bfa5fb3ee3cb3675968dd5373b562330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/sse.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45853, "scanner": "repobility-threat-engine", "fingerprint": "9a1e8821cadcee3ccf55ebb27b55280f984a429967642d07d09158140b573251", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a1e8821cadcee3ccf55ebb27b55280f984a429967642d07d09158140b573251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/kubernetes-manager.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 45852, "scanner": "repobility-threat-engine", "fingerprint": "9fa3ecb6f11d304e53b9a8c3b5a4232aecc320dda73d36f02caa09577cbfe20a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9fa3ecb6f11d304e53b9a8c3b5a4232aecc320dda73d36f02caa09577cbfe20a", "aggregated_count": 11}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45851, "scanner": "repobility-threat-engine", "fingerprint": "c82cb467176568a5b1a582a5fa56b5839e6938518170590bbd82c07fced0f749", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c82cb467176568a5b1a582a5fa56b5839e6938518170590bbd82c07fced0f749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-apply.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45849, "scanner": "repobility-threat-engine", "fingerprint": "f207d341ae5941bf701cd75b30797c31c0e0b3072ee5f19ae5b0f7f10d6afa7b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f207d341ae5941bf701cd75b30797c31c0e0b3072ee5f19ae5b0f7f10d6afa7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/exec_in_pod.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45848, "scanner": "repobility-threat-engine", "fingerprint": "30cff8f150b74d3433a073141ef9c728963bf56c4c782d2d70dc2825442ebdd9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30cff8f150b74d3433a073141ef9c728963bf56c4c782d2d70dc2825442ebdd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/middleware/telemetry-middleware.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 45847, "scanner": "repobility-threat-engine", "fingerprint": "ca65d540c23281fd4abe67cd8bcbbc0631cb263ac4e93da4ec9d2a039e584504", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca65d540c23281fd4abe67cd8bcbbc0631cb263ac4e93da4ec9d2a039e584504"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config/telemetry-config.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 45846, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45844, "scanner": "repobility-threat-engine", "fingerprint": "badcf57c397c1338bffc398323f2344ccb6ac6bd77bb87ce6377ec6f51991992", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|badcf57c397c1338bffc398323f2344ccb6ac6bd77bb87ce6377ec6f51991992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-apply.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45842, "scanner": "repobility-threat-engine", "fingerprint": "5a519ed0783294f45326ba651ba0d4d7bf27187fd05f725b10f1a566968c5e44", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a519ed0783294f45326ba651ba0d4d7bf27187fd05f725b10f1a566968c5e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config/telemetry-config.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45838, "scanner": "repobility-threat-engine", "fingerprint": "c4eb42e045ca7880afc714a34d1d7e869d4edac79226c0ae69283fcc0c1ca6b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4eb42e045ca7880afc714a34d1d7e869d4edac79226c0ae69283fcc0c1ca6b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-version.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7669, "scanner": "repobility-threat-engine", "fingerprint": "73b7ae720b6c395945489a1e8394ec69e2d9c93c78cb486336f6bc6675e6a850", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|358|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/kubernetes-manager.ts"}, "region": {"startLine": 358}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7667, "scanner": "repobility-threat-engine", "fingerprint": "8e1c5035590ac6ba9319ed8b6bebfc6de8164a73614027b6b0e38567cf7c7d65", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn(\"Failed to parse secrets output for masking:\", error)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/tools/kubectl-get.ts|51|console.warn failed to parse secrets output for masking: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/kubectl-get.ts"}, "region": {"startLine": 513}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dorny/test-reporter` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45808, "scanner": "repobility-supply-chain", "fingerprint": "03e379ab53972374948cf8d567340e09fddc31418668469421d83e045a1dd91b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03e379ab53972374948cf8d567340e09fddc31418668469421d83e045a1dd91b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45807, "scanner": "repobility-supply-chain", "fingerprint": "82c3c1a1111186dce476b3eb0df30ebe53d8f240ddac5c05cae7b05d203d8e8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82c3c1a1111186dce476b3eb0df30ebe53d8f240ddac5c05cae7b05d203d8e8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45806, "scanner": "repobility-supply-chain", "fingerprint": "e4a64764635909eeb29322481c5d90014e9fc5f86625c96327826fbab73bc5ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4a64764635909eeb29322481c5d90014e9fc5f86625c96327826fbab73bc5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45791, "scanner": "repobility-supply-chain", "fingerprint": "c3cfd43606edd8d84e4b8531621e98c3e4da88b0e9d9814f6178e31c92a72e63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3cfd43606edd8d84e4b8531621e98c3e4da88b0e9d9814f6178e31c92a72e63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reecetech/version-increment` pinned to mutable ref `@2024.10.1`"}, "properties": {"repobilityId": 45789, "scanner": "repobility-supply-chain", "fingerprint": "60b8837f0e19414ac44c1d05a3666d909c318bd01c3250f7dadadce09eede4a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60b8837f0e19414ac44c1d05a3666d909c318bd01c3250f7dadadce09eede4a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/setup-helm` pinned to mutable ref `@v4.3.0`"}, "properties": {"repobilityId": 45788, "scanner": "repobility-supply-chain", "fingerprint": "11e26568f7e3e8078a638ad0f0796a3b1610c7d343498bc1e67050fbc72e3db5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11e26568f7e3e8078a638ad0f0796a3b1610c7d343498bc1e67050fbc72e3db5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45787, "scanner": "repobility-supply-chain", "fingerprint": "af851a2789d441b5ac239bd91051cb114f8eaba7c75e433e2510a6b855e8e4a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af851a2789d441b5ac239bd91051cb114f8eaba7c75e433e2510a6b855e8e4a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45786, "scanner": "repobility-supply-chain", "fingerprint": "04733b18d7b0c8c2e4ece1451af7acc1eb9d974b4a7316b92703ad80a37fe2a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04733b18d7b0c8c2e4ece1451af7acc1eb9d974b4a7316b92703ad80a37fe2a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:24.2.0-slim` not pinned by digest"}, "properties": {"repobilityId": 45777, "scanner": "repobility-supply-chain", "fingerprint": "7345a18c0759771dae42ea6cbfcff1129345d3f811532b2b982f11b5bc3a4c99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7345a18c0759771dae42ea6cbfcff1129345d3f811532b2b982f11b5bc3a4c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /messages has no auth"}, "properties": {"repobilityId": 45758, "scanner": "repobility-route-auth", "fingerprint": "362cb3bd45549952a81b8d3618373b2abedfb8f243fe4cf1fa6ee38a360f20a1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|362cb3bd45549952a81b8d3618373b2abedfb8f243fe4cf1fa6ee38a360f20a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/sse.test.ts"}, "region": {"startLine": 26}}}]}]}]}