{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /x-"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /x-api-key."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /files/{file_id}."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /files/{file_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 19.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 19.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `ds2api` image uses the latest tag", "shortDescription": {"text": "Compose service `ds2api` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED100", "name": "[MINED100] React Index As Key: Using the loop index `i` as React `key` causes re-render bugs when the list re-orders, it", "shortDescription": {"text": "[MINED100] React Index As Key: Using the loop index `i` as React `key` causes re-render bugs when the list re-orders, items are inserted/removed mid-list, or items have state. Prefer a stable unique id from the data."}, "fullDescription": {"text": "Use a stable unique identifier from your data: `key={item.id}`. Only use the index when the list is truly static and never reorders."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /models/{model_id}."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /models/{model_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-go` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/126"}, "properties": {"repository": "CJackHwang/ds2api", "repoUrl": "https://github.com/CJackHwang/ds2api.git", "branch": "main"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /x-api-key."}, "properties": {"repobilityId": 41228, "scanner": "repobility-access-control", "fingerprint": "395160985ff0539ff7f58aa3269e90b1f5463cecae2b97b3d56633c1d5c5cbe0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/x-api-key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|238|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 238}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 41227, "scanner": "repobility-access-control", "fingerprint": "e99b6dd59be6aba06aa43fe988868052e75aa213abb7aade3fceabb3d5f1d060", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|114|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 41224, "scanner": "repobility-access-control", "fingerprint": "6c38e2daea821bd9373301482e2e717c80a232e6c0b4ba270aa5ab6d0e705021", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 123, "correlation_key": "fp|6c38e2daea821bd9373301482e2e717c80a232e6c0b4ba270aa5ab6d0e705021", "auth_visible_percent": 19.5}}}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 41222, "scanner": "repobility-threat-engine", "fingerprint": "1213553e0108086210d1616aa6a2beac726ac07f923fdfc58b052d454f6b2494", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1213553e0108086210d1616aa6a2beac726ac07f923fdfc58b052d454f6b2494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/account/AddAccountModal.jsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 41213, "scanner": "repobility-threat-engine", "fingerprint": "d0ed4eebeaf36286d391f05ef24d417de65b12f2f44b4729b8bb4b29ae73f74a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n                        href=\"/v1/models\"\n                        target=\"_blank\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|109|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/components/LandingPage.jsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 41212, "scanner": "repobility-threat-engine", "fingerprint": "3ca0fd42613b733ebb164de281df13149553e75cb827c04eddd10fbade666dc2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://github.com/CJackHwang/ds2api\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|internal/webui/handler.go|17|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/webui/handler.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 41190, "scanner": "repobility-threat-engine", "fingerprint": "d1aa67036f5b28615b7b5ef0c9b13e57aa0ea3bf211be8124d3611ec25833d45", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:              \"0.0.0.0:\" + port,\n\t\tHandler:           app.Router,\n\t\tReadHeaderTi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1aa67036f5b28615b7b5ef0c9b13e57aa0ea3bf211be8124d3611ec25833d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api/main.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Request-Private-Network."}, "properties": {"repobilityId": 4701, "scanner": "repobility-access-control", "fingerprint": "3cc9e61883711b863ced131c507cf7fd9e845cb04c79fed56759182f0568c510", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Request-Private-Network", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|302|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 302}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Origin."}, "properties": {"repobilityId": 4700, "scanner": "repobility-access-control", "fingerprint": "df24816034893b4d2ebb6aebaba7417bf54707fa75b7ebba2b72a51dcb56057b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Origin", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|291|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 291}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /embeddings."}, "properties": {"repobilityId": 4699, "scanner": "repobility-access-control", "fingerprint": "c07b6c9cb673bb1f1dbc29ec8755a2523a7d0ffde1477c04f95c89415fe5021d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/embeddings", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|115|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api_key."}, "properties": {"repobilityId": 4632, "scanner": "repobility-access-control", "fingerprint": "b6a66a9aad4605c1044f3efbe270af4e4a4eb8b9341e74f935ad866854b76858", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api_key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|250|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 250}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /key."}, "properties": {"repobilityId": 4631, "scanner": "repobility-access-control", "fingerprint": "0d3e8850aaa6ba5eada3cd28179086d864c62e370e2c4aa575595efc3f731043", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|247|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 247}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 4629, "scanner": "repobility-access-control", "fingerprint": "dd3ba5184fb28ab89c9f2341b6f008d6ac99f411ca029e0e68ce2817f228648b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|231|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 231}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-Ds2-Target-Account."}, "properties": {"repobilityId": 4628, "scanner": "repobility-access-control", "fingerprint": "f690a12fa613393c4a4d5f32c54b925ff8b8231c2aa6a01d64d71892e0fec565", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/X-Ds2-Target-Account", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|73|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Request-Private-Network."}, "properties": {"repobilityId": 4463, "scanner": "repobility-access-control", "fingerprint": "0d08b0bd8db54f9384a962913ad920e2d1988a0de4e0bf0157810c9a857a4275", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Request-Private-Network", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|211|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 211}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Origin."}, "properties": {"repobilityId": 4462, "scanner": "repobility-access-control", "fingerprint": "79f7e7b3348fb71ba378cbc76ac001b5c17b9ac16f356d8442b09db3f434df56", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Origin", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|200|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 200}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /embeddings."}, "properties": {"repobilityId": 4461, "scanner": "repobility-access-control", "fingerprint": "98b990b86771b6708feae8548cb91f88fd6c812af69bd18e136580e406a1ab9e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/embeddings", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|114|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 4460, "scanner": "repobility-access-control", "fingerprint": "6df4c858b43b863edbbf04345d89869060710899c1d3036b1ab24b7aab17b890", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|113|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Request-Private-Network."}, "properties": {"repobilityId": 4141, "scanner": "repobility-access-control", "fingerprint": "e5f360f0f462a6c0c1667f687a2fb21bf46ea9670cd03826b57be43dee39ee30", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Request-Private-Network", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|208|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 208}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Origin."}, "properties": {"repobilityId": 4140, "scanner": "repobility-access-control", "fingerprint": "ab1d37ffc2965bf9b6b0bde4b5850ea553bb18f3b0dde3e11e6dd41aaa6cefb6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Origin", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|197|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 197}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 4139, "scanner": "repobility-access-control", "fingerprint": "04618d7c7047c99cefb067d1abc39781f6d09f22be193ea1b729d8cfe3541138", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|44|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/auth/handler_auth.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /embeddings."}, "properties": {"repobilityId": 4138, "scanner": "repobility-access-control", "fingerprint": "41babf4f7d9aa69b97f37c81d54ec08649b3090eedbfd6ea69aeffc105ea9322", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/embeddings", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|112|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 4137, "scanner": "repobility-access-control", "fingerprint": "672da74e29eac5ab3b4dc9adf98648fac65b4516411935fc1af05a984cf6eac1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|111|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4128, "scanner": "repobility-threat-engine", "fingerprint": "6f3efa530cda0ad7750a86978a5bbab1a1b519e4a3e08a86ea74a2b8b454540b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f3efa530cda0ad7750a86978a5bbab1a1b519e4a3e08a86ea74a2b8b454540b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/vercel_stream_impl.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4127, "scanner": "repobility-threat-engine", "fingerprint": "4ca6557ba38c940dcccb5bcebe75569ac5e1d9357473f1d8ee0f47e2e547b4ac", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ca6557ba38c940dcccb5bcebe75569ac5e1d9357473f1d8ee0f47e2e547b4ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/apiTester/useChatStreamClient.js"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 3883, "scanner": "repobility-docker", "fingerprint": "80f697b26c8c1092e8fd41c3384295506c983801c25f8ed03a4d1369be34be74", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "runtime-from-source", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|80f697b26c8c1092e8fd41c3384295506c983801c25f8ed03a4d1369be34be74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3882, "scanner": "repobility-docker", "fingerprint": "f8a039c0735a1a65e92f13f202d4d669fdc94a4616f8873b8af62317da5e36f6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-from-source", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8a039c0735a1a65e92f13f202d4d669fdc94a4616f8873b8af62317da5e36f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3881, "scanner": "repobility-docker", "fingerprint": "170f565a4e7d2efefce2f3dff4f813f5a93852da72062aeb992075bfeb1c181b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|170f565a4e7d2efefce2f3dff4f813f5a93852da72062aeb992075bfeb1c181b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3880, "scanner": "repobility-docker", "fingerprint": "88519ea84e6b380341b5fd865ffda4e9d463b0d0fa8adc3f9383741db42eaed3", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox-tools", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|88519ea84e6b380341b5fd865ffda4e9d463b0d0fa8adc3f9383741db42eaed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3879, "scanner": "repobility-docker", "fingerprint": "451066836888000c029278d932f001fd352446a5bbdb8d432810359c98b7959a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|451066836888000c029278d932f001fd352446a5bbdb8d432810359c98b7959a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /anthropic/v1/messages/count_tokens."}, "properties": {"repobilityId": 3708, "scanner": "repobility-access-control", "fingerprint": "9c8704f0935561f43bf51b9776e411f3822c1ed5db00dc5e28ec1c7a36dd429c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/anthropic/v1/messages/count_tokens", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|40|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/claude/handler_routes.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /anthropic/v1/messages."}, "properties": {"repobilityId": 3707, "scanner": "repobility-access-control", "fingerprint": "4bebfdf01297dfef8a36b42814e5143bdb7ddeef774c4ad9dfa881f73677fd11", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/anthropic/v1/messages", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|39|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/claude/handler_routes.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /anthropic/v1/models."}, "properties": {"repobilityId": 3706, "scanner": "repobility-access-control", "fingerprint": "849360f10d75c86cd6fa3c2b1e2b351efceacf43ad40eb9c0cc43e1445099b7d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/anthropic/v1/models", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|38|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/claude/handler_routes.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api_key."}, "properties": {"repobilityId": 3705, "scanner": "repobility-access-control", "fingerprint": "ee92e7093083948a46a859414d9d4faead620db21aec458787217848a7d1cdc3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api_key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|238|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 238}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /verify."}, "properties": {"repobilityId": 3704, "scanner": "repobility-access-control", "fingerprint": "e86207c9397f8b655d89ae7ff756c84e783df4be92b3ac47a50996f7af392b79", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/verify", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|15|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/auth/routes.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /login."}, "properties": {"repobilityId": 3703, "scanner": "repobility-access-control", "fingerprint": "bdcc0fa59559b6c4fb48eee3acc0eac46e236f8b80353525e679ed507d80e914", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/login", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|14|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/auth/routes.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /chat-history/settings."}, "properties": {"repobilityId": 3702, "scanner": "repobility-access-control", "fingerprint": "527f8343040fee8dcf7f0adc69b348b6576af22b645c7f5941d2ebf189a363a3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/chat-history/settings", "method": "PUT", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|10|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["527f8343040fee8dcf7f0adc69b348b6576af22b645c7f5941d2ebf189a363a3", "60c34a17631979940187043920a82d7dafcf4d98144dc9844b80fea5a6bd5f0a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/history/routes.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 3142, "scanner": "repobility-journey-contract", "fingerprint": "9597c2543974a7d02555237baf59dac0037e805c6860f77d95b2708a2ee49f23", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|38|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/app/useAdminAuth.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 3141, "scanner": "repobility-journey-contract", "fingerprint": "ff46dd2720271083d4c19ffa527e59d73b529a3ea27e2c32e03807eb7cc9147c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|37|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/app/useAdminAuth.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /key."}, "properties": {"repobilityId": 3140, "scanner": "repobility-access-control", "fingerprint": "873478505da68b6691526fcaf8de73de4093c40fb2f5173576c80a45217f9c3d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|235|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 235}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /x-api-key."}, "properties": {"repobilityId": 3139, "scanner": "repobility-access-control", "fingerprint": "22077a20335c6405c65808a7ff0a0a14ff5d9e48f3e31080c5b294db930650ed", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/x-api-key", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|226|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 226}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 3138, "scanner": "repobility-access-control", "fingerprint": "3a2f3fe1bba8b65fdbe72827b2db94e052445fe32ff549ba62ba07210f509a72", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|219|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 219}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-Ds2-Target-Account."}, "properties": {"repobilityId": 3137, "scanner": "repobility-access-control", "fingerprint": "309ee4f4fea0d28af4b84aa3e81fa2ee8cd4adaa47db42d0be3dc3d9e4ab3f07", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/X-Ds2-Target-Account", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/request.go|72|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Request-Private-Network."}, "properties": {"repobilityId": 3136, "scanner": "repobility-access-control", "fingerprint": "5c9d316b82e1802cb6b2619f3194f18d843ee8378fc215def8d7a7460c3c4bfc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Request-Private-Network", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|196|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 196}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Origin."}, "properties": {"repobilityId": 3135, "scanner": "repobility-access-control", "fingerprint": "d22b79541b3dca7310b420cab039a66dfb6dc4bf217948413cafb8f49ab8702e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Origin", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|185|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 185}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Vary."}, "properties": {"repobilityId": 3134, "scanner": "repobility-access-control", "fingerprint": "5de2f0a4d22e63435db6ed753257c40356926b57cc8173cdbd67c13e2fdf8fa5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Vary", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|43|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router_cors_test.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Allow-Headers."}, "properties": {"repobilityId": 3133, "scanner": "repobility-access-control", "fingerprint": "3b8adb156827cfe7b64c21377b95445571b4da887e5dec463d87437b43a3c74d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Allow-Headers", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|40|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router_cors_test.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Allow-Headers."}, "properties": {"repobilityId": 3132, "scanner": "repobility-access-control", "fingerprint": "1e4897c2fa26a17eb8a95cbd2555e062b35a0d904165b311b41bf21662142da4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Allow-Headers", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|36|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router_cors_test.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Access-Control-Allow-Headers."}, "properties": {"repobilityId": 3131, "scanner": "repobility-access-control", "fingerprint": "d2c5ed998ddd439570cc2b2c3286e87be4d04cd5d8bc6ca38e6f27f66349f1ed", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Access-Control-Allow-Headers", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|33|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router_cors_test.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /admin/proxies/{proxyID}."}, "properties": {"repobilityId": 3130, "scanner": "repobility-access-control", "fingerprint": "65eb10691faa5c0f58fe88508939be8c45427d26a6472b0864e38bb4e6f7aa57", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/proxies/{proxyID}", "method": "PUT", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|135|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/handler_proxies_test.go"}, "region": {"startLine": 135}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /admin/proxies/{proxyID}."}, "properties": {"repobilityId": 3129, "scanner": "repobility-access-control", "fingerprint": "c9e207fca1a3dbdf077476f3d2c58bf19a461105949c8802758fca2cf089ff97", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/proxies/{proxyID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|108|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/handler_proxies_test.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/proxies."}, "properties": {"repobilityId": 3128, "scanner": "repobility-access-control", "fingerprint": "c519f09cdec7095e3b3493f7fd25d3fb946e41cd9c8db72f1d28238256e91414", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/proxies", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|31|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/handler_proxies_test.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin."}, "properties": {"repobilityId": 3127, "scanner": "repobility-access-control", "fingerprint": "bf0758293cd140d096901970e737caa823d6df9c7afc82e6f934cc9b38643322", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/webui/handler.go|29|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/webui/handler.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "properties": {"repobilityId": 3126, "scanner": "repobility-access-control", "fingerprint": "21a6b237e8eedd5b7af95edf6529153490ea5f8071e88653a71388ced2393d82", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/webui/handler.go|28|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/webui/handler.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 3125, "scanner": "repobility-access-control", "fingerprint": "dcb641e71f5f7aefae41dcd622c00faaf2efaf10c3c76557869face88fda6fa7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/auth/admin.go|148|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/admin.go"}, "region": {"startLine": 148}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /v1/embeddings."}, "properties": {"repobilityId": 3124, "scanner": "repobility-access-control", "fingerprint": "6824ad82a720a7071a77fe228d20cc27c4912c8f9a4988c6824e95fd9ee1448f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/embeddings", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|100|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /v1/files."}, "properties": {"repobilityId": 3123, "scanner": "repobility-access-control", "fingerprint": "0cc36d0456d257a9fa91ba1701f55b152b3fb4c30d408bdaaa93edc7e35e90d7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/files", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|99|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 99}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 3122, "scanner": "repobility-access-control", "fingerprint": "b79732888a96592cedb76b4bdf6f889d190a1c64419ded0f2ec4779d5047a5e2", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|98|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /v1/responses."}, "properties": {"repobilityId": 3121, "scanner": "repobility-access-control", "fingerprint": "4a883420964e556398ac87ad02921e2988cdc57c577a85a84f4f67870a52535b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|97|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 97}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 22.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 3110, "scanner": "repobility-access-control", "fingerprint": "73b3672fe214ad55933bc1058e6f66b5505ddfcf3b52427c76e7cfe5b3a641b5", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 155, "correlation_key": "fp|73b3672fe214ad55933bc1058e6f66b5505ddfcf3b52427c76e7cfe5b3a641b5", "auth_visible_percent": 22.6}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 3109, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ds2api` image uses the latest tag"}, "properties": {"repobilityId": 3106, "scanner": "repobility-docker", "fingerprint": "a7ecbeb5c3da0ca44f0a32d48a822ef4bf5cf115d8fad8e6a7177874f97f6df7", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/cjackhwang/ds2api:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7ecbeb5c3da0ca44f0a32d48a822ef4bf5cf115d8fad8e6a7177874f97f6df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 3104, "scanner": "repobility-docker", "fingerprint": "35ebac9c5c25f779a2aa1613aa637af2f145872a3bd501319259da7e58353ed6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "runtime-from-source", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|35ebac9c5c25f779a2aa1613aa637af2f145872a3bd501319259da7e58353ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3103, "scanner": "repobility-docker", "fingerprint": "786a092176c5a3cc72c0bb537f03902924718e8a65cb8c1bf0b5e338c38c73cd", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-from-source", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|786a092176c5a3cc72c0bb537f03902924718e8a65cb8c1bf0b5e338c38c73cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3102, "scanner": "repobility-docker", "fingerprint": "0021c69cbd7055e99950750deae05bdc8dd7925ae518c960fc36967813a28532", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0021c69cbd7055e99950750deae05bdc8dd7925ae518c960fc36967813a28532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3101, "scanner": "repobility-docker", "fingerprint": "1afa3a52f82d2d3c7d172281db15bbe7ac54640e47bd7490bd562ec15fdac914", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox-tools", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1afa3a52f82d2d3c7d172281db15bbe7ac54640e47bd7490bd562ec15fdac914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3100, "scanner": "repobility-docker", "fingerprint": "4c131747a64a9f2082a10016e32d2edb905e42662ab52f20107a1dbabe65e5a5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "runtime-base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4c131747a64a9f2082a10016e32d2edb905e42662ab52f20107a1dbabe65e5a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 3099, "scanner": "repobility-docker", "fingerprint": "ecef775d672010dbfde9fe7b609ba2b6f1b14326e42da3a5a522450cd5a16c59", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ecef775d672010dbfde9fe7b609ba2b6f1b14326e42da3a5a522450cd5a16c59", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 3089, "scanner": "repobility-threat-engine", "fingerprint": "e4640c7cc7a2280534c9d81cc9f7d345c4ea913e46545df1a538c9b3782b410f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4640c7cc7a2280534c9d81cc9f7d345c4ea913e46545df1a538c9b3782b410f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/vercel_stream_impl.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 3088, "scanner": "repobility-threat-engine", "fingerprint": "ae7d835b1869dba4bca69dadc2df0b287a5ee8ccad0a88f825df934fe91ba440", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae7d835b1869dba4bca69dadc2df0b287a5ee8ccad0a88f825df934fe91ba440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/apiTester/useChatStreamClient.js"}, "region": {"startLine": 211}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "371560177ee55a3e33d3a8db29f164b20f450eaf74614fc7efa4072035bd5441", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/shared/helpers.go", "duplicate_line": 82, "correlation_key": "fp|371560177ee55a3e33d3a8db29f164b20f450eaf74614fc7efa4072035bd5441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/vercel/handler_vercel.go"}, "region": {"startLine": 254}}}]}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 3075, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 41202, "scanner": "repobility-threat-engine", "fingerprint": "4104cb2a727ed79ac3936dcb08f81a098d5c5740cbb65128173d427b876f274d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[reasoning_content]\\n\" + reasoning + \"\\n[/reasoning_content]\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4104cb2a727ed79ac3936dcb08f81a098d5c5740cbb65128173d427b876f274d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/claude/handler_utils.go"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 41201, "scanner": "repobility-threat-engine", "fingerprint": "73a79894d4150a5c3b602b11035ddb6d693ca35b53df87955d12f6066d29625f", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"https://api.vercel.com/v9/projects/\"+projectID+\"/env/\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73a79894d4150a5c3b602b11035ddb6d693ca35b53df87955d12f6066d29625f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/vercel/handler_vercel.go"}, "region": {"startLine": 169}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 41188, "scanner": "repobility-threat-engine", "fingerprint": "8c25cb14bef51eb9739bd080737739d9f68c33ba7129eb7e8b52f5fd22ab398b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = h.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c25cb14bef51eb9739bd080737739d9f68c33ba7129eb7e8b52f5fd22ab398b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/admin.go"}, "region": {"startLine": 215}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 41187, "scanner": "repobility-threat-engine", "fingerprint": "f9ff13a3b6b84ca4d59c1654629b3ac34096309f03dc4925e7241d3d2ce771a8", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = auth.AdminKey(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9ff13a3b6b84ca4d59c1654629b3ac34096309f03dc4925e7241d3d2ce771a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api/main.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 41186, "scanner": "repobility-threat-engine", "fingerprint": "20de88afaf653dba02eff9d9054be81ead231a44b6148d161af35d99f95ac80e", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fmt.Fprintln(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20de88afaf653dba02eff9d9054be81ead231a44b6148d161af35d99f95ac80e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api-tests/main.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41160, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c4f510e5315a8caf0ab7e9f078da99cf40ed145751c7fe258da6ea4d5fa27b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/openai/chat/chat_history.go", "duplicate_line": 82, "correlation_key": "fp|2c4f510e5315a8caf0ab7e9f078da99cf40ed145751c7fe258da6ea4d5fa27b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/responsehistory/session.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32358b7017d04273f2761ad05cfd545d00870eb8b273c842a104b79af1a9d4e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/gemini/convert_passthrough.go", "duplicate_line": 39, "correlation_key": "fp|32358b7017d04273f2761ad05cfd545d00870eb8b273c842a104b79af1a9d4e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/prompt/tool_calls.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e9f32551f8eacd8da98324e64e9179c328b77bc7ea3be6a1951419cc3817fc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/js/helpers/stream-tool-sieve/sieve.js", "duplicate_line": 223, "correlation_key": "fp|5e9f32551f8eacd8da98324e64e9179c328b77bc7ea3be6a1951419cc3817fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/helpers/stream-tool-sieve/state.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41157, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b92a55be6561f5ebfdaf92af3a61fb51d38200909e23b73fb2dd2e2ce5f7ace0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/js/chat-stream/toolcall_policy.js", "duplicate_line": 102, "correlation_key": "fp|b92a55be6561f5ebfdaf92af3a61fb51d38200909e23b73fb2dd2e2ce5f7ace0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/helpers/stream-tool-sieve/format.js"}, "region": {"startLine": 200}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86b652ad23941dac2d4c2bb234b8e5df923aa8d2048e11bb0e7d2c70e1177889", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/js/chat-stream/cors.js", "duplicate_line": 110, "correlation_key": "fp|86b652ad23941dac2d4c2bb234b8e5df923aa8d2048e11bb0e7d2c70e1177889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/toolcall_policy.js"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "664a600fce2f881872f2010ee1be4e9e512785898f3de1a162a65dfba7bd1aed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/js/chat-stream/cors.js", "duplicate_line": 110, "correlation_key": "fp|664a600fce2f881872f2010ee1be4e9e512785898f3de1a162a65dfba7bd1aed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/sse_parse_impl.js"}, "region": {"startLine": 582}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc4c59535c340468ea8b0fb6fcb2ae4a3997d6fdb0030e264f75f9a84004ef62", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/js/chat-stream/cors.js", "duplicate_line": 110, "correlation_key": "fp|cc4c59535c340468ea8b0fb6fcb2ae4a3997d6fdb0030e264f75f9a84004ef62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/http_internal.js"}, "region": {"startLine": 199}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7fce9faec8b2df1986a8cdcc459eef41e8d12c6e6d7ec8ac3647a471dec00e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/openai/chat/chat_stream_runtime.go", "duplicate_line": 197, "correlation_key": "fp|d7fce9faec8b2df1986a8cdcc459eef41e8d12c6e6d7ec8ac3647a471dec00e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/responses/responses_stream_runtime_core.go"}, "region": {"startLine": 155}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e8c01ae13ac57f3a7c79e9354f6a3db46895b62a5274ccb3081706356dccc90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/openai/responses/empty_retry_runtime.go", "duplicate_line": 86, "correlation_key": "fp|9e8c01ae13ac57f3a7c79e9354f6a3db46895b62a5274ccb3081706356dccc90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/responses/responses_handler.go"}, "region": {"startLine": 204}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e00b5a05562db4ff5928cdf4009bcbe727bf36e330f8b66b3fff3f031d6b2885", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/openai/chat/handler_chat.go", "duplicate_line": 52, "correlation_key": "fp|e00b5a05562db4ff5928cdf4009bcbe727bf36e330f8b66b3fff3f031d6b2885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/responses/responses_handler.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f36dc49da2202c04b2f481d3a91dffd72f7d6ef3d3cd8dfa671f70d81755af7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/openai/chat/handler.go", "duplicate_line": 32, "correlation_key": "fp|5f36dc49da2202c04b2f481d3a91dffd72f7d6ef3d3cd8dfa671f70d81755af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/responses/handler.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27ffd5af2318ae6e65b5f5dbc4e376acd7d69e038a8dd84e57c8eda9f7a797b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/gemini/handler_errors.go", "duplicate_line": 4, "correlation_key": "fp|27ffd5af2318ae6e65b5f5dbc4e376acd7d69e038a8dd84e57c8eda9f7a797b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/gemini/handler_stream_runtime.go"}, "region": {"startLine": 193}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c354b7ad429ceaf635dffbd86520d88d33a011010cfa9a29667b41b6ceac921", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/claude/handler_routes.go", "duplicate_line": 9, "correlation_key": "fp|3c354b7ad429ceaf635dffbd86520d88d33a011010cfa9a29667b41b6ceac921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/gemini/handler_routes.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e46e5243a27223fed2f5ad32354d6d1acb5a5e3c7c7a443f0f929d2a9062758e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/claude/handler_messages.go", "duplicate_line": 166, "correlation_key": "fp|e46e5243a27223fed2f5ad32354d6d1acb5a5e3c7c7a443f0f929d2a9062758e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/gemini/handler_generate.go"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4553d43ca4a3c3bbe9ec87dfad0bbb185cfae09299fddbb91b607e17bc12b2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/claude/deps.go", "duplicate_line": 2, "correlation_key": "fp|b4553d43ca4a3c3bbe9ec87dfad0bbb185cfae09299fddbb91b607e17bc12b2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/gemini/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "582fbe178377309ad6d9f04490ec28a4f3860ceaba9d85b9637fab4fc6b13286", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/claude/handler_utils_sanitize.go", "duplicate_line": 75, "correlation_key": "fp|582fbe178377309ad6d9f04490ec28a4f3860ceaba9d85b9637fab4fc6b13286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/gemini/convert_messages.go"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b977de92a3741dbdaa9196a903f37f5f33a67b7c3651ca7dca070c3210964ef2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/claude/stream_runtime_core.go", "duplicate_line": 158, "correlation_key": "fp|b977de92a3741dbdaa9196a903f37f5f33a67b7c3651ca7dca070c3210964ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/claude/stream_runtime_finalize.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4dda3eb44b71b90788ae18ad09439f9f57746e8504c2b096d06e6f94d34b2a3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/auth/deps.go", "duplicate_line": 2, "correlation_key": "fp|4dda3eb44b71b90788ae18ad09439f9f57746e8504c2b096d06e6f94d34b2a3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/version/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 4691, "scanner": "repobility-threat-engine", "fingerprint": "1440aaaed046bb8695fed5d4040ebcab42b32d000b419fca9d8abae7fc9d06bd", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1440aaaed046bb8695fed5d4040ebcab42b32d000b419fca9d8abae7fc9d06bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 4451, "scanner": "repobility-threat-engine", "fingerprint": "8066a731a96a12a10f78b6ccaf2deb63e283abb1cfee9eb745b426aede89ff02", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8066a731a96a12a10f78b6ccaf2deb63e283abb1cfee9eb745b426aede89ff02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4450, "scanner": "repobility-ai-code-hygiene", "fingerprint": "915a532418c4e29721ec759f47aa13a4340e847f61f453b4410ffbe39696305f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/shared/helpers.go", "duplicate_line": 83, "correlation_key": "fp|915a532418c4e29721ec759f47aa13a4340e847f61f453b4410ffbe39696305f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/vercel/handler_vercel.go"}, "region": {"startLine": 293}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 4129, "scanner": "repobility-threat-engine", "fingerprint": "a3dc7bc40e483a1c5c96bdaf07619a06a58ddf2981adfce41a026d732ed43fa4", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3dc7bc40e483a1c5c96bdaf07619a06a58ddf2981adfce41a026d732ed43fa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3108, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ds2api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3107, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ds2api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 3105, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 3092, "scanner": "repobility-threat-engine", "fingerprint": "988c49d70d8ea1131afc17699c19990b14d589bef39e01aa019e3cea7f4c2128", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fmt.Fprintf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|988c49d70d8ea1131afc17699c19990b14d589bef39e01aa019e3cea7f4c2128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testsuite/runner_http.go"}, "region": {"startLine": 134}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 3091, "scanner": "repobility-threat-engine", "fingerprint": "51f216578b8d355ec6cdf37f931a53b52e9b320e1940c7dc6d15afcb65b7ace9", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = dsprotocol.ScanSSELines(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51f216578b8d355ec6cdf37f931a53b52e9b320e1940c7dc6d15afcb65b7ace9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/sse/consumer.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 3090, "scanner": "repobility-threat-engine", "fingerprint": "898581811de2bc62b3e8a65dda391aeaf4dc7717bc8780897edbc56e5d606baa", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|898581811de2bc62b3e8a65dda391aeaf4dc7717bc8780897edbc56e5d606baa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7311af6475a547d934599b06030158cacb907f30aeb6aef54e5887b27bfc7b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/auth/deps.go", "duplicate_line": 2, "correlation_key": "fp|b7311af6475a547d934599b06030158cacb907f30aeb6aef54e5887b27bfc7b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/vercel/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2bce1db9621caf316e4ffef4bb05b436254e1628dafafceb8732e1d6d2f2dcad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/accounts/deps.go", "duplicate_line": 4, "correlation_key": "fp|2bce1db9621caf316e4ffef4bb05b436254e1628dafafceb8732e1d6d2f2dcad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/settings/deps.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35b75d94ed70ae7966f31e97b90c16c27057ec22e48fe2cd1baf7a884686d7e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/configmgmt/deps.go", "duplicate_line": 2, "correlation_key": "fp|35b75d94ed70ae7966f31e97b90c16c27057ec22e48fe2cd1baf7a884686d7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/settings/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a184fc7682318b5583f836fa0d277b07ff416d4af5c78589c0d4b26887a1164", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/accounts/deps.go", "duplicate_line": 4, "correlation_key": "fp|1a184fc7682318b5583f836fa0d277b07ff416d4af5c78589c0d4b26887a1164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/deps.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5affee1a1ce142640904a63f07679c11510b3324d6364a6a2dd6043ddbe14b64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/configmgmt/deps.go", "duplicate_line": 2, "correlation_key": "fp|5affee1a1ce142640904a63f07679c11510b3324d6364a6a2dd6043ddbe14b64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "578dd1d98263d16945f29a34167f2217b6f7cdb4254a37c8aba0984a3d54aa8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/auth/deps.go", "duplicate_line": 2, "correlation_key": "fp|578dd1d98263d16945f29a34167f2217b6f7cdb4254a37c8aba0984a3d54aa8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/history/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8839a72f6c92c941bbe905de7d4a3e19902ea753e40e3c245accaff12e811308", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/auth/deps.go", "duplicate_line": 2, "correlation_key": "fp|8839a72f6c92c941bbe905de7d4a3e19902ea753e40e3c245accaff12e811308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/devcapture/deps.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27a181d79d9688a56ec09a78207cb5476887352d7d5fb172cb1295530cb78595", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/httpapi/admin/accounts/deps.go", "duplicate_line": 4, "correlation_key": "fp|27a181d79d9688a56ec09a78207cb5476887352d7d5fb172cb1295530cb78595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/configmgmt/deps.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17ed61df33fd4f212f39637089cdd6533128937bf4d925322577d5c4170be269", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/deepseek/client/client_auth.go", "duplicate_line": 74, "correlation_key": "fp|17ed61df33fd4f212f39637089cdd6533128937bf4d925322577d5c4170be269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/client/client_session_delete.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8b55dae2d2b793781d8d1de564b1a3453730ec1e2871deb41c780c86de3e740", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/deepseek/client/client_session.go", "duplicate_line": 67, "correlation_key": "fp|e8b55dae2d2b793781d8d1de564b1a3453730ec1e2871deb41c780c86de3e740"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/client/client_session_delete.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9063f3fdba5054476dac084a28d887cbf286e735ecbf445a3321273e2d7d58d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/deepseek/client/client_auth.go", "duplicate_line": 74, "correlation_key": "fp|9063f3fdba5054476dac084a28d887cbf286e735ecbf445a3321273e2d7d58d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/client/client_session.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED100", "level": "none", "message": {"text": "[MINED100] React Index As Key: Using the loop index `i` as React `key` causes re-render bugs when the list re-orders, items are inserted/removed mid-list, or items have state. Prefer a stable unique id from the data."}, "properties": {"repobilityId": 41223, "scanner": "repobility-threat-engine", "fingerprint": "af11b29e56f1d4394c5dcc408e63d088f8b3b39ac9382801b78da5a203d6c894", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "key-prop-redundancy", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 10, "observations_count": 2815, "ai_coder_pattern_id": 61}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af11b29e56f1d4394c5dcc408e63d088f8b3b39ac9382801b78da5a203d6c894"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/apiTester/ConfigPanel.jsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 41221, "scanner": "repobility-threat-engine", "fingerprint": "3eefa648305ae61d0591934612a49043d5a269c7083ab23d866f11a1715e7f30", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3eefa648305ae61d0591934612a49043d5a269c7083ab23d866f11a1715e7f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/components/LandingPage.jsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41220, "scanner": "repobility-threat-engine", "fingerprint": "91e42062e9050a70677435c531eaec007917856a8f7be95ae58764f96b6614a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91e42062e9050a70677435c531eaec007917856a8f7be95ae58764f96b6614a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/apiTester/ConfigPanel.jsx"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41219, "scanner": "repobility-threat-engine", "fingerprint": "e4925f3f54fac1fd713aec503d6a9a73c1b00671a185ea1cddcaedd5bc83dbcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4925f3f54fac1fd713aec503d6a9a73c1b00671a185ea1cddcaedd5bc83dbcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/account/ApiKeysPanel.jsx"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41218, "scanner": "repobility-threat-engine", "fingerprint": "ebc07dce9263a6aaaec04a5a952b1227c8ada2e4983e200543a7889e9266f768", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebc07dce9263a6aaaec04a5a952b1227c8ada2e4983e200543a7889e9266f768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/components/LandingPage.jsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 41217, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41216, "scanner": "repobility-threat-engine", "fingerprint": "2dd3b43b09e986c551acfcced9b0fe494c4c0a338b3a6ac0a8fcd38937ecdd80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2dd3b43b09e986c551acfcced9b0fe494c4c0a338b3a6ac0a8fcd38937ecdd80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/apiTester/useChatStreamClient.js"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41215, "scanner": "repobility-threat-engine", "fingerprint": "0a9d3a852ea8309db60cc071cba6fc4f5aac87adfa5afdca4693a386bc3f03ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a9d3a852ea8309db60cc071cba6fc4f5aac87adfa5afdca4693a386bc3f03ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/account/useAccountsData.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41214, "scanner": "repobility-threat-engine", "fingerprint": "dfa68341fb5761eb562cd05fb5758eeb6bb84a139b9bf465bbb05cbcbd9b5adc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfa68341fb5761eb562cd05fb5758eeb6bb84a139b9bf465bbb05cbcbd9b5adc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/app/useAdminConfig.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 41208, "scanner": "repobility-threat-engine", "fingerprint": "29c811f660f4d02d0eac1575b1ccf829e1282608e988d5f599569653b79d70b8", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|224|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/helpers/stream-tool-sieve/format.js"}, "region": {"startLine": 224}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 41207, "scanner": "repobility-threat-engine", "fingerprint": "b343acf48207107416b5f01df941d984d762cb854927c003bae9c79640847aa5", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|122|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/toolcall_policy.js"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 41206, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 41200, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 41196, "scanner": "repobility-threat-engine", "fingerprint": "8991712b797151f8eb922c85c418041ba7d391f1afd387f856e10df665983078", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8991712b797151f8eb922c85c418041ba7d391f1afd387f856e10df665983078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/protocol/constants.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 41192, "scanner": "repobility-threat-engine", "fingerprint": "129d731a27d187bcbae33cc616cfc635a16a19779a51007c8e96a87322e1e097", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|129d731a27d187bcbae33cc616cfc635a16a19779a51007c8e96a87322e1e097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/sse/citation_links.go"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 41191, "scanner": "repobility-threat-engine", "fingerprint": "164a955f9b3a1b5bf149071c6264c08240748702d9917f2b2354b6a444960ba0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|164a955f9b3a1b5bf149071c6264c08240748702d9917f2b2354b6a444960ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api/main.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 41189, "scanner": "repobility-threat-engine", "fingerprint": "8e025c8d67c3439a4e8279febec0083a40dca1fd3d66afb62bb30780b311da76", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8e025c8d67c3439a4e8279febec0083a40dca1fd3d66afb62bb30780b311da76"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 41185, "scanner": "repobility-threat-engine", "fingerprint": "48b739a9fa0558510a36febe9f4875b0bfd5f165c1c45d54c4a64b2111fc2582", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|48b739a9fa0558510a36febe9f4875b0bfd5f165c1c45d54c4a64b2111fc2582", "aggregated_count": 4}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 41184, "scanner": "repobility-threat-engine", "fingerprint": "74273a221fc886b83e87798e4cbd6aa3931fd97791472abcb06872113edd37d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74273a221fc886b83e87798e4cbd6aa3931fd97791472abcb06872113edd37d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/account/pool_acquire.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 41183, "scanner": "repobility-threat-engine", "fingerprint": "180603debf0c532a54ad59ec347ea63bfd8d32d77d1ec9ecc0e259b9ce659d5c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|180603debf0c532a54ad59ec347ea63bfd8d32d77d1ec9ecc0e259b9ce659d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api/main.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 41182, "scanner": "repobility-threat-engine", "fingerprint": "3922951e7edd98c268250ccba1d1b6cfd62ab52977738430f45339cc6fd1d415", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3922951e7edd98c268250ccba1d1b6cfd62ab52977738430f45339cc6fd1d415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/ds2api-tests/main.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4627, "scanner": "repobility-threat-engine", "fingerprint": "0cd2ee4a93d3ff9deb67d0213ed1eadd260cf34f886d29896ee28e515f7bde5d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Logger.Error(\"[refresh_token] failed\", \"account\", a.AccountID, \"error\", err)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|internal/auth/request.go|16|logger.error refresh_token failed account a.accountid error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3878, "scanner": "repobility-threat-engine", "fingerprint": "6f37213844c23ea5a80faf3abc0bfb351dd64b9c0538905fc9a71941ff543ca2", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|227|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/helpers/stream-tool-sieve/format.js"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3098, "scanner": "repobility-threat-engine", "fingerprint": "f7deb2d6284af96a60269bb1a8dc66a136d1962b5ad792843d479239d37ef894", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|38|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/helpers/stream-tool-sieve/format.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3097, "scanner": "repobility-threat-engine", "fingerprint": "eefa6472aff318a57f4a56e8628538328dd89e321e8406f82616ed4dcf9c502e", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|125|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/toolcall_policy.js"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3096, "scanner": "repobility-threat-engine", "fingerprint": "ce140d7c1a8a347131a123d749884124c2ea08e92960eced1de89ea8d1f3f8cb", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Logger.Warn(\"[delete_all_sessions_for_token] request error\", \"error\", err)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|14|logger.warn token request error error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/client/client_session_delete.go"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3095, "scanner": "repobility-threat-engine", "fingerprint": "a19c53b1da16342ca9a3b8f5f86a5dc7d53a0d3cc51f0689e4753abf03ade473", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Logger.Warn(\"[create_session] failed\", \"status\", status, \"code\", code, \"biz_code\", bizCode, \"msg\", m", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|7|logger.warn create_session failed status status code code biz_code bizcode msg m"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deepseek/client/client_auth.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3094, "scanner": "repobility-threat-engine", "fingerprint": "daa5d8e4bb06f2c5258c2e34b4f3620f90f721050c2f72add52dc64f4308c18c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Logger.Error(\"[refresh_token] failed\", \"account\", a.AccountID, \"error\", err)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|internal/auth/request.go|16|logger.error refresh_token failed account a.accountid error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/auth/request.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 3093, "scanner": "repobility-threat-engine", "fingerprint": "e238979ce561f988eca017974ead0f6faf8ef8aa801e28202094dd6bbfb1b7c2", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e238979ce561f988eca017974ead0f6faf8ef8aa801e28202094dd6bbfb1b7c2"}}}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /models/{model_id}."}, "properties": {"repobilityId": 41226, "scanner": "repobility-access-control", "fingerprint": "742c4975e2bcb5209969c67c0f853f6e7acbaa0bae1fd8fcb022fa81b61425c5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|109|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 41225, "scanner": "repobility-access-control", "fingerprint": "757a234bbe24b8c2f2a3550f66baf2d52565c6493553b12058bfa5d1f3474b9e", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|100|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 41211, "scanner": "repobility-threat-engine", "fingerprint": "94e83bb9724d0c72bcfaee097ee8a96cec4540877c56596cf3c4ec0886e9cffb", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(cc.dir, \"request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|150|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testsuite/runner_http.go"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 41210, "scanner": "repobility-threat-engine", "fingerprint": "7b8f9d23fa9e5b98e312cc56a35c0732485f1c14783e3df24dcd8200c2f8f0d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b8f9d23fa9e5b98e312cc56a35c0732485f1c14783e3df24dcd8200c2f8f0d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/webui/build.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 41209, "scanner": "repobility-threat-engine", "fingerprint": "88aed2603569684a892c388e026931b9fe1d6af6d972ca54dd06f35b543607e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88aed2603569684a892c388e026931b9fe1d6af6d972ca54dd06f35b543607e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testsuite/runner_env.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41205, "scanner": "repobility-threat-engine", "fingerprint": "0593ecb05b85b6a69a1575103e8f5aa7288286bb0e8dbfd5a69bc8c5957d4b14", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0593ecb05b85b6a69a1575103e8f5aa7288286bb0e8dbfd5a69bc8c5957d4b14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/sse/citation_links.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41204, "scanner": "repobility-threat-engine", "fingerprint": "fba88f92b9c73180486e2e892b6584b63b30eb7105a6ddf08d1aab03744bd44e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fba88f92b9c73180486e2e892b6584b63b30eb7105a6ddf08d1aab03744bd44e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/proxy_go.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41203, "scanner": "repobility-threat-engine", "fingerprint": "f3b0e384cc9f11798564715f73b587e3809f2ebfbddcac6702b31246d0a73426", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3b0e384cc9f11798564715f73b587e3809f2ebfbddcac6702b31246d0a73426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js/chat-stream/http_internal.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 41199, "scanner": "repobility-threat-engine", "fingerprint": "d7d336863128e8771b2865aecbf420a77a0749d81d93ca4a3e540a1a8800fbbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.Delete(\"/dev/captures\", h.clearDevCaptures)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d7d336863128e8771b2865aecbf420a77a0749d81d93ca4a3e540a1a8800fbbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/devcapture/routes.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 41198, "scanner": "repobility-threat-engine", "fingerprint": "2b9116f7f1fad3ffc87ac043d94d8de323bb752350fb40fe4acb2d168cb9c0b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.Delete(\"/keys/{key}\", h.deleteKey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b9116f7f1fad3ffc87ac043d94d8de323bb752350fb40fe4acb2d168cb9c0b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/configmgmt/routes.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 41197, "scanner": "repobility-threat-engine", "fingerprint": "38524cc944473f1533089f167b8ebdcd3933edbad6f26fcbcc4bee35f5b2a08d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.Delete(\"/accounts/{identifier}\", h.deleteAccount)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38524cc944473f1533089f167b8ebdcd3933edbad6f26fcbcc4bee35f5b2a08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/accounts/routes.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 41195, "scanner": "repobility-threat-engine", "fingerprint": "9d8da0459a1d0b420d4828e72bc39533a1467ed350c959dbcd4116e5521cc713", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d8da0459a1d0b420d4828e72bc39533a1467ed350c959dbcd4116e5521cc713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/vercel/handler_vercel.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 41194, "scanner": "repobility-threat-engine", "fingerprint": "1e4d2ffaca05eb9a10e3d085185b9ac0200d9545a0bb88a197a27c88be813330", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e4d2ffaca05eb9a10e3d085185b9ac0200d9545a0bb88a197a27c88be813330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/shared/helpers.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 41193, "scanner": "repobility-threat-engine", "fingerprint": "2f5d13e7eeb45c35325f203a81fa747a7cdc36f6c51b6f595d162b26152a4554", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f5d13e7eeb45c35325f203a81fa747a7cdc36f6c51b6f595d162b26152a4554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/config/config.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41181, "scanner": "repobility-supply-chain", "fingerprint": "b83d9c0eb26316dc1fee25bc33c32380ef8eaa65d42f30d586bd47c1fda065b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b83d9c0eb26316dc1fee25bc33c32380ef8eaa65d42f30d586bd47c1fda065b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41180, "scanner": "repobility-supply-chain", "fingerprint": "039f58e0bd4072866b252f8cab6f7bc8f58971d4aa8148b98d8c3fa0eb3785a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|039f58e0bd4072866b252f8cab6f7bc8f58971d4aa8148b98d8c3fa0eb3785a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41179, "scanner": "repobility-supply-chain", "fingerprint": "a64e7b2eb5189e46e9d92770a9f84563f925c7d2ee79cde46806d7f09eb6e02b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a64e7b2eb5189e46e9d92770a9f84563f925c7d2ee79cde46806d7f09eb6e02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41178, "scanner": "repobility-supply-chain", "fingerprint": "2d2117cef19d2fa323c3b0d8601eceb1c5715d886fce3cfa2a8d1b21e4f56698", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d2117cef19d2fa323c3b0d8601eceb1c5715d886fce3cfa2a8d1b21e4f56698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41177, "scanner": "repobility-supply-chain", "fingerprint": "57a2672af470d2ca0bfc588b4e29a42642e283578e0985bc0a1b11c59348c882", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57a2672af470d2ca0bfc588b4e29a42642e283578e0985bc0a1b11c59348c882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41176, "scanner": "repobility-supply-chain", "fingerprint": "ec1877b889ea595e6eb15777e647c5528ebc05a956b48427fed6b35f4835daea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec1877b889ea595e6eb15777e647c5528ebc05a956b48427fed6b35f4835daea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41175, "scanner": "repobility-supply-chain", "fingerprint": "d7c36106c85471d5abaff38a391f7623609b7ee4faad33df744d8eb7199b2e3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7c36106c85471d5abaff38a391f7623609b7ee4faad33df744d8eb7199b2e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41174, "scanner": "repobility-supply-chain", "fingerprint": "5ccf9b6de6b45f577e0aacf06eea0da275a6716d8100ba037628cd4ae508554a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ccf9b6de6b45f577e0aacf06eea0da275a6716d8100ba037628cd4ae508554a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41173, "scanner": "repobility-supply-chain", "fingerprint": "89609a45dfe646d999ff119978e0ad7e476243d29443f463f20fcdfbf4b5ac7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89609a45dfe646d999ff119978e0ad7e476243d29443f463f20fcdfbf4b5ac7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 41172, "scanner": "repobility-supply-chain", "fingerprint": "26f660b8e8a1379fb418ad7d65fa2d18031f89a701b976fcaf803e356b2b355b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26f660b8e8a1379fb418ad7d65fa2d18031f89a701b976fcaf803e356b2b355b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41171, "scanner": "repobility-supply-chain", "fingerprint": "b4b11385a3f909143841d28c40ca97003177c382a32dee3f2c1e732eb80c76ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4b11385a3f909143841d28c40ca97003177c382a32dee3f2c1e732eb80c76ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41170, "scanner": "repobility-supply-chain", "fingerprint": "079e24a5109f0fa9a51e2e8675fda3d44e45b86001a2c178bd9a623987cac555", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|079e24a5109f0fa9a51e2e8675fda3d44e45b86001a2c178bd9a623987cac555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/quality-gates.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41169, "scanner": "repobility-supply-chain", "fingerprint": "f9540784c2eeb0a4b8c2e46bbe91675daa287378438d66b7e00e3e4900b973da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9540784c2eeb0a4b8c2e46bbe91675daa287378438d66b7e00e3e4900b973da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41168, "scanner": "repobility-supply-chain", "fingerprint": "c299db25315e167e74e821ab1a00c6fcb039592029405e212ba26d176a5f5e66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c299db25315e167e74e821ab1a00c6fcb039592029405e212ba26d176a5f5e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-artifacts.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41167, "scanner": "repobility-supply-chain", "fingerprint": "11010e0d0f099d3220607d90c50fe4da1c8dcb769b504497865d91ee12dfe9ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11010e0d0f099d3220607d90c50fe4da1c8dcb769b504497865d91ee12dfe9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-artifacts.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41166, "scanner": "repobility-supply-chain", "fingerprint": "4e93ee27c179e4f506f21ac45083f3cef8de53facdd7e7129fc173c32b28e02a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e93ee27c179e4f506f21ac45083f3cef8de53facdd7e7129fc173c32b28e02a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-artifacts.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41165, "scanner": "repobility-supply-chain", "fingerprint": "81a13abd304db378f4e5329a0236d6c4d68f6eaf0deedc787651df4d1bffd6e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81a13abd304db378f4e5329a0236d6c4d68f6eaf0deedc787651df4d1bffd6e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-dockerhub.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 41164, "scanner": "repobility-supply-chain", "fingerprint": "1497d9b0c64aa1cc568019e7c2a2ccee5d1e09022ee09b0b2bdfb042c1c73528", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1497d9b0c64aa1cc568019e7c2a2ccee5d1e09022ee09b0b2bdfb042c1c73528"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `busybox:1.36.1-musl` not pinned by digest"}, "properties": {"repobilityId": 41163, "scanner": "repobility-supply-chain", "fingerprint": "d0b90d9d5b5d003a9a92dedb261a41ffe9f54e972c7b4692ddd24e6bc79082f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0b90d9d5b5d003a9a92dedb261a41ffe9f54e972c7b4692ddd24e6bc79082f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `golang:1.26` not pinned by digest"}, "properties": {"repobilityId": 41162, "scanner": "repobility-supply-chain", "fingerprint": "9a7308b175717a43d3fee43d357fff49cf30959d7524b82357192d183ed19cff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a7308b175717a43d3fee43d357fff49cf30959d7524b82357192d183ed19cff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:24` not pinned by digest"}, "properties": {"repobilityId": 41161, "scanner": "repobility-supply-chain", "fingerprint": "ea992e9a36373b96302b92250f139559bcf1931d4256f7b6e90b3860f84bb0ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea992e9a36373b96302b92250f139559bcf1931d4256f7b6e90b3860f84bb0ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 4697, "scanner": "repobility-access-control", "fingerprint": "7a69f60a327600db4098fd5876c4f57826687bdbaab22b31848e538892eff7b0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|114|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /responses/{response_id}."}, "properties": {"repobilityId": 4696, "scanner": "repobility-access-control", "fingerprint": "2b68696d3fa873df065fe0ffb08600f193a3b885379337491c431f552933bebc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|112|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/files/{file_id}."}, "properties": {"repobilityId": 4694, "scanner": "repobility-access-control", "fingerprint": "f100efd7d8aa8fca923b16f2400123551350ce069a6e66a180bd448fe4dabe0e", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|105|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 4693, "scanner": "repobility-access-control", "fingerprint": "1005003677d7cbbb47187999c39405a5e383f1f382595007ed2895e0b3799de8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|103|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 4459, "scanner": "repobility-access-control", "fingerprint": "374c4858fc91c037ae7afe3672a6bfcef8b98535edb24dab095fd501eeafe430", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|113|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /models/{model_id}."}, "properties": {"repobilityId": 4457, "scanner": "repobility-access-control", "fingerprint": "c7f4f855632365a8f198761a465e3e0b1c3025c4080e60d4d2f29e65925d6944", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|108|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/files/{file_id}."}, "properties": {"repobilityId": 4456, "scanner": "repobility-access-control", "fingerprint": "1807e6e5ef14844c1f52a736304408a5ad70f4eb1a010362bdde615df0f4dce6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|104|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 104}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 4454, "scanner": "repobility-access-control", "fingerprint": "8c6bf6eaeff12247b4fa2d99e499ecb8049e12ceb4bf4b4dc213b3b04574b2b2", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|99|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 99}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /files/{file_id}."}, "properties": {"repobilityId": 4136, "scanner": "repobility-access-control", "fingerprint": "d27c3d1ce9c19508643742f59b6448d0950789ad0be9d765076bff1f20878a7b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|111|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /responses/{response_id}."}, "properties": {"repobilityId": 4135, "scanner": "repobility-access-control", "fingerprint": "5d6c211542371730c2d853017af0e93cff5691182bf80e7d3ca823adcc1744eb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|109|cwe-639", "identity_targets": ["unknown", "owner", "admin", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /models/{model_id}."}, "properties": {"repobilityId": 4134, "scanner": "repobility-access-control", "fingerprint": "28b8b5988356768144e4e8be47fdade6235a845152e69a5ac9e3dde5f8a3e92d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|106|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/files/{file_id}."}, "properties": {"repobilityId": 4133, "scanner": "repobility-access-control", "fingerprint": "bd26e802325d346d47927064b5096d5e9ff845f6420f541d9b12bcdc83909a16", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/files/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|102|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 102}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 4132, "scanner": "repobility-access-control", "fingerprint": "3145a31567b58f630554461aa50d074c434f9bd7b8b202cb027b3b8eacfb94bf", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|100|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 4131, "scanner": "repobility-access-control", "fingerprint": "36163b037633c00265ec00b2a57e5d48b3606f2547aa6faad8ac04c40acdfb40", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|97|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 97}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 3885, "scanner": "repobility-journey-contract", "fingerprint": "b7d51b4e220cde7cd52cac772afde9ddec38c4c48241d043f98ce1a7039b38e6", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|269|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/proxy/ProxyManagerContainer.jsx"}, "region": {"startLine": 269}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 3884, "scanner": "repobility-journey-contract", "fingerprint": "0f0ce6373ee8365736260c7ea193777f4595e0423fe5f311482a1ded38f0dc6a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|68|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/src/features/account/AddAccountModal.jsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /chat-history/{id}."}, "properties": {"repobilityId": 3701, "scanner": "repobility-access-control", "fingerprint": "6d2739aa64929fdf35f0c699a78aabfe0cec6a4770b91355bfefc928ed1e9767", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat-history/{id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|9|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/history/routes.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /chat-history/{id}."}, "properties": {"repobilityId": 3120, "scanner": "repobility-access-control", "fingerprint": "10b62f9956fff70d98400a7316129d2f26f2fbcf769db99a52c57af8874175f6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat-history/{id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|7|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/history/routes.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /proxies/{proxyID}."}, "properties": {"repobilityId": 3119, "scanner": "repobility-access-control", "fingerprint": "da6ac1f06c301a5e53ecbb4af6a417682c693cbee2f0bc1f8769f6556fca40ca", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/proxies/{proxyID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|13|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/routes.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /proxies/{proxyID}."}, "properties": {"repobilityId": 3118, "scanner": "repobility-access-control", "fingerprint": "39db61bb84280d0331464671683dd00d38aea05457158e066d0bb9808968c084", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/proxies/{proxyID}", "method": "PUT", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|12|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/routes.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /admin/proxies/{proxyID}."}, "properties": {"repobilityId": 3117, "scanner": "repobility-access-control", "fingerprint": "cdb018c3234ea5ae76772ad83ba56bf7961a106c1c0f7a5a756e3d83f10171ac", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/proxies/{proxyID}", "method": "PUT", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|135|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/handler_proxies_test.go"}, "region": {"startLine": 135}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /admin/proxies/{proxyID}."}, "properties": {"repobilityId": 3116, "scanner": "repobility-access-control", "fingerprint": "750b4ce35a8ee463e33d3dbdee03b3eada1bef6626e3c2227b6c813ac1f888ce", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/proxies/{proxyID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|108|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/admin/proxies/handler_proxies_test.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 3115, "scanner": "repobility-access-control", "fingerprint": "7f1fc3205ccc7e832aa19b6c4408f04107173fcedccf9a44b1e63e2df7c84c93", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|27|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/responses/test_helpers_test.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 3114, "scanner": "repobility-access-control", "fingerprint": "f6c2d5fc9495e3d22baaf7c3a9b4f1e1df3445d46ac24d820d4e279feb304a78", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|105|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/test_bridge_test.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 3113, "scanner": "repobility-access-control", "fingerprint": "719ad2ef3fccb99d8b182018f09f88496c96fd1ca0750f9942d0505e4dfe0ab4", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|102|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpapi/openai/test_bridge_test.go"}, "region": {"startLine": 102}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/responses/{response_id}."}, "properties": {"repobilityId": 3112, "scanner": "repobility-access-control", "fingerprint": "022314c899eadae821d011671e7ef78811b5641bee9c3dafac53bd50a9ac3a9f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/responses/{response_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|98|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 3111, "scanner": "repobility-access-control", "fingerprint": "2661d5eb7e63e96bcd04963d72cce05b0ee4ea1d8a9f3f241500de679ff141f5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/server/router.go|95|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/router.go"}, "region": {"startLine": 95}}}]}]}]}