{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a2a-sandboxes/:namespace/:agentName."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-4gg8-gxpx-9rph", "name": "uv: GHSA-4gg8-gxpx-9rph", "shortDescription": {"text": "uv: GHSA-4gg8-gxpx-9rph"}, "fullDescription": {"text": "uv is vulnerable to arbitrary file write through entry point names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r73j-pqj5-w3x7", "name": "pillow: GHSA-r73j-pqj5-w3x7", "shortDescription": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "fullDescription": {"text": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xmw-vc9v-4wf2", "name": "pillow: GHSA-5xmw-vc9v-4wf2", "shortDescription": {"text": "pillow: GHSA-5xmw-vc9v-4wf2"}, "fullDescription": {"text": "Pillow has a heap buffer overflow with nested list coordinates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v34v-rq6j-cj6p", "name": "langsmith: GHSA-v34v-rq6j-cj6p", "shortDescription": {"text": "langsmith: GHSA-v34v-rq6j-cj6p"}, "fullDescription": {"text": "LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rr7j-v2q5-chgv", "name": "langsmith: GHSA-rr7j-v2q5-chgv", "shortDescription": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "fullDescription": {"text": "LangSmith SDK: Streaming token events bypass output redaction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w8v5-vhqr-4h9v", "name": "diskcache: GHSA-w8v5-vhqr-4h9v", "shortDescription": {"text": "diskcache: GHSA-w8v5-vhqr-4h9v"}, "fullDescription": {"text": "DiskCache has unsafe pickle deserialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jg22-mg44-37j8", "name": "aiohttp: GHSA-jg22-mg44-37j8", "shortDescription": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "fullDescription": {"text": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hg6j-4rv6-33pg", "name": "aiohttp: GHSA-hg6j-4rv6-33pg", "shortDescription": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "fullDescription": {"text": "AIOHTTP is vulnerable to cross-origin redirect with per-request cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g7f3-828f-7h7m", "name": "authlib: GHSA-g7f3-828f-7h7m", "shortDescription": {"text": "authlib: GHSA-g7f3-828f-7h7m"}, "fullDescription": {"text": "Authlib : JWE zip=DEF decompression bomb enables DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fg6f-75jq-6523", "name": "authlib: GHSA-fg6f-75jq-6523", "shortDescription": {"text": "authlib: GHSA-fg6f-75jq-6523"}, "fullDescription": {"text": "Authlib has 1-click Account Takeover vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mj87-hwqh-73pj", "name": "python-multipart: GHSA-mj87-hwqh-73pj", "shortDescription": {"text": "python-multipart: GHSA-mj87-hwqh-73pj"}, "fullDescription": {"text": "python-multipart affected by Denial of Service via large multipart preamble or epilogue data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mf9w-mj56-hr94", "name": "python-dotenv: GHSA-mf9w-mj56-hr94", "shortDescription": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "fullDescription": {"text": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `js-yaml` is 1 major version(s) behind (3.14.2 -> 4.2.0)", "shortDescription": {"text": "npm package `js-yaml` is 1 major version(s) behind (3.14.2 -> 4.2.0)"}, "fullDescription": {"text": "`js-yaml` is pinned/resolved at 3.14.2 but the latest stable release on the npm registry is 4.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjjw-68hj-v9mw", "name": "uv: GHSA-pjjw-68hj-v9mw", "shortDescription": {"text": "uv: GHSA-pjjw-68hj-v9mw"}, "fullDescription": {"text": "uv vulnerable to arbitrary file deletion through RECORD entries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5239-wwwm-4pmq", "name": "pygments: GHSA-5239-wwwm-4pmq", "shortDescription": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "fullDescription": {"text": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vp96-hxj8-p424", "name": "pyopenssl: GHSA-vp96-hxj8-p424", "shortDescription": {"text": "pyopenssl: GHSA-vp96-hxj8-p424"}, "fullDescription": {"text": "pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `strip_confirmation_parts_callback` has cognitive complexity 8 (SonarSourc", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `strip_confirmation_parts_callback` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean ch"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 36 more): Same pattern found in 36 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-179", "name": "pyjwt: PYSEC-2026-179", "shortDescription": {"text": "pyjwt: PYSEC-2026-179"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-178", "name": "pyjwt: PYSEC-2026-178", "shortDescription": {"text": "pyjwt: PYSEC-2026-178"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled \u201cwork amplifier\u201d: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-177", "name": "pyjwt: PYSEC-2026-177", "shortDescription": {"text": "pyjwt: PYSEC-2026-177"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-175", "name": "pyjwt: PYSEC-2026-175", "shortDescription": {"text": "pyjwt: PYSEC-2026-175"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-113", "name": "pyarrow: PYSEC-2026-113", "shortDescription": {"text": "pyarrow: PYSEC-2026-113"}, "fullDescription": {"text": "Use After Free vulnerability in Apache Arrow C++.\n\nThis issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a `std::shared_ptr<Buffer>` object)\u00a0that is written to the dangling pointer is not under direct control of the attacker.\n\nPre-buffering is disabled by default but can be enabled using a specific C++ API call (`RecordBatchFileReader::PreBufferMetadata`). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.\n\nThe most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the appli"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-whj4-6x5x-4v2j", "name": "pillow: GHSA-whj4-6x5x-4v2j", "shortDescription": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "fullDescription": {"text": "FITS GZIP decompression bomb in Pillow"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pwv6-vv43-88gr", "name": "pillow: GHSA-pwv6-vv43-88gr", "shortDescription": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "fullDescription": {"text": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cfh3-3jmp-rvhc", "name": "pillow: GHSA-cfh3-3jmp-rvhc", "shortDescription": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "fullDescription": {"text": "Pillow affected by out-of-bounds write when loading PSD images"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-165", "name": "pillow: PYSEC-2026-165", "shortDescription": {"text": "pillow: PYSEC-2026-165"}, "fullDescription": {"text": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-107", "name": "orjson: PYSEC-2026-107", "shortDescription": {"text": "orjson: PYSEC-2026-107"}, "fullDescription": {"text": "The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-87", "name": "lxml: PYSEC-2026-87", "shortDescription": {"text": "lxml: PYSEC-2026-87"}, "fullDescription": {"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3644-q5cj-c5c7", "name": "langsmith: GHSA-3644-q5cj-c5c7", "shortDescription": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "fullDescription": {"text": "LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3936-cmfr-pm3m", "name": "black: GHSA-3936-cmfr-pm3m", "shortDescription": {"text": "black: GHSA-3936-cmfr-pm3m"}, "fullDescription": {"text": "Black: Arbitrary file writes from unsanitized user input in cache file name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7f5h-v6xp-fcq8", "name": "starlette: GHSA-7f5h-v6xp-fcq8", "shortDescription": {"text": "starlette: GHSA-7f5h-v6xp-fcq8"}, "fullDescription": {"text": "Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9h52-p55h-vw2f", "name": "mcp: GHSA-9h52-p55h-vw2f", "shortDescription": {"text": "mcp: GHSA-9h52-p55h-vw2f"}, "fullDescription": {"text": "Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh2j-26j7-9728", "name": "google-cloud-aiplatform: GHSA-wh2j-26j7-9728", "shortDescription": {"text": "google-cloud-aiplatform: GHSA-wh2j-26j7-9728"}, "fullDescription": {"text": "Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qv8j-hgpc-vrq8", "name": "google-cloud-aiplatform: GHSA-qv8j-hgpc-vrq8", "shortDescription": {"text": "google-cloud-aiplatform: GHSA-qv8j-hgpc-vrq8"}, "fullDescription": {"text": "Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pq5p-34cr-23v9", "name": "authlib: GHSA-pq5p-34cr-23v9", "shortDescription": {"text": "authlib: GHSA-pq5p-34cr-23v9"}, "fullDescription": {"text": "Authlib is vulnerable to Denial of Service via Oversized JOSE Segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m344-f55w-2m6j", "name": "authlib: GHSA-m344-f55w-2m6j", "shortDescription": {"text": "authlib: GHSA-m344-f55w-2m6j"}, "fullDescription": {"text": "Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7432-952r-cw78", "name": "authlib: GHSA-7432-952r-cw78", "shortDescription": {"text": "authlib: GHSA-7432-952r-cw78"}, "fullDescription": {"text": "Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5039", "name": "stdlib: GO-2026-5039", "shortDescription": {"text": "stdlib: GO-2026-5039"}, "fullDescription": {"text": "Arbitrary inputs are included in errors without any escaping in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5038", "name": "stdlib: GO-2026-5038", "shortDescription": {"text": "stdlib: GO-2026-5038"}, "fullDescription": {"text": "Quadratic complexity in WordDecoder.DecodeHeader in mime"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5037", "name": "stdlib: GO-2026-5037", "shortDescription": {"text": "stdlib: GO-2026-5037"}, "fullDescription": {"text": "Inefficient candidate hostname parsing in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4986", "name": "stdlib: GO-2026-4986", "shortDescription": {"text": "stdlib: GO-2026-4986"}, "fullDescription": {"text": "Quadratic string concatentation in consumeComment in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4982", "name": "stdlib: GO-2026-4982", "shortDescription": {"text": "stdlib: GO-2026-4982"}, "fullDescription": {"text": "Bypass of meta content URL escaping causes XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4981", "name": "stdlib: GO-2026-4981", "shortDescription": {"text": "stdlib: GO-2026-4981"}, "fullDescription": {"text": "Crash when handling long CNAME response in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4980", "name": "stdlib: GO-2026-4980", "shortDescription": {"text": "stdlib: GO-2026-4980"}, "fullDescription": {"text": "Escaper bypass leads to XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4977", "name": "stdlib: GO-2026-4977", "shortDescription": {"text": "stdlib: GO-2026-4977"}, "fullDescription": {"text": "Quadratic string concatenation in consumePhrase in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4976", "name": "stdlib: GO-2026-4976", "shortDescription": {"text": "stdlib: GO-2026-4976"}, "fullDescription": {"text": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4971", "name": "stdlib: GO-2026-4971", "shortDescription": {"text": "stdlib: GO-2026-4971"}, "fullDescription": {"text": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "stdlib: GO-2026-4918", "shortDescription": {"text": "stdlib: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5030", "name": "golang.org/x/net: GO-2026-5030", "shortDescription": {"text": "golang.org/x/net: GO-2026-5030"}, "fullDescription": {"text": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5029", "name": "golang.org/x/net: GO-2026-5029", "shortDescription": {"text": "golang.org/x/net: GO-2026-5029"}, "fullDescription": {"text": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5028", "name": "golang.org/x/net: GO-2026-5028", "shortDescription": {"text": "golang.org/x/net: GO-2026-5028"}, "fullDescription": {"text": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5027", "name": "golang.org/x/net: GO-2026-5027", "shortDescription": {"text": "golang.org/x/net: GO-2026-5027"}, "fullDescription": {"text": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5026", "name": "golang.org/x/net: GO-2026-5026", "shortDescription": {"text": "golang.org/x/net: GO-2026-5026"}, "fullDescription": {"text": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5025", "name": "golang.org/x/net: GO-2026-5025", "shortDescription": {"text": "golang.org/x/net: GO-2026-5025"}, "fullDescription": {"text": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5033", "name": "golang.org/x/crypto: GO-2026-5033", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5033"}, "fullDescription": {"text": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5023", "name": "golang.org/x/crypto: GO-2026-5023", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5023"}, "fullDescription": {"text": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5021", "name": "golang.org/x/crypto: GO-2026-5021", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5021"}, "fullDescription": {"text": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5020", "name": "golang.org/x/crypto: GO-2026-5020", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5020"}, "fullDescription": {"text": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5019", "name": "golang.org/x/crypto: GO-2026-5019", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5019"}, "fullDescription": {"text": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5018", "name": "golang.org/x/crypto: GO-2026-5018", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5018"}, "fullDescription": {"text": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5017", "name": "golang.org/x/crypto: GO-2026-5017", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5017"}, "fullDescription": {"text": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5016", "name": "golang.org/x/crypto: GO-2026-5016", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5016"}, "fullDescription": {"text": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5015", "name": "golang.org/x/crypto: GO-2026-5015", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5015"}, "fullDescription": {"text": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5014", "name": "golang.org/x/crypto: GO-2026-5014", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5014"}, "fullDescription": {"text": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5013", "name": "golang.org/x/crypto: GO-2026-5013", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5013"}, "fullDescription": {"text": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5006", "name": "golang.org/x/crypto: GO-2026-5006", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5006"}, "fullDescription": {"text": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5005", "name": "golang.org/x/crypto: GO-2026-5005", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5005"}, "fullDescription": {"text": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4251", "name": "github.com/ollama/ollama: GO-2025-4251", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-4251"}, "fullDescription": {"text": "Ollama has missing authentication enabling attackers to perform model management operations in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3824", "name": "github.com/ollama/ollama: GO-2025-3824", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3824"}, "fullDescription": {"text": "Ollama vulnerable to Cross-Domain Token Exposure in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3695", "name": "github.com/ollama/ollama: GO-2025-3695", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3695"}, "fullDescription": {"text": "Ollama Server Vulnerable to Denial of Service (DoS) Attack in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3689", "name": "github.com/ollama/ollama: GO-2025-3689", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3689"}, "fullDescription": {"text": "Ollama Divide by Zero Vulnerability in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3582", "name": "github.com/ollama/ollama: GO-2025-3582", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3582"}, "fullDescription": {"text": "Ollama Denial of Service (DoS) via Null Pointer Dereference in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3559", "name": "github.com/ollama/ollama: GO-2025-3559", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3559"}, "fullDescription": {"text": "Ollama Divide By Zero vulnerability in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3558", "name": "github.com/ollama/ollama: GO-2025-3558", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3558"}, "fullDescription": {"text": "Ollama Allows Out-of-Bounds Read in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3557", "name": "github.com/ollama/ollama: GO-2025-3557", "shortDescription": {"text": "github.com/ollama/ollama: GO-2025-3557"}, "fullDescription": {"text": "Ollama Allocation of Resources Without Limits or Throttling vulnerability in github.com/ollama/ollama"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wp53-j4wj-2cfg", "name": "python-multipart: GHSA-wp53-j4wj-2cfg", "shortDescription": {"text": "python-multipart: GHSA-wp53-j4wj-2cfg"}, "fullDescription": {"text": "Python-Multipart has Arbitrary File Write via Non-Default Configuration"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pp6c-gr5w-3c5g", "name": "python-multipart: GHSA-pp6c-gr5w-3c5g", "shortDescription": {"text": "python-multipart: GHSA-pp6c-gr5w-3c5g"}, "fullDescription": {"text": "python-multipart has Denial of Service via unbounded multipart part headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5pwr-322w-8jr4", "name": "pyopenssl: GHSA-5pwr-322w-8jr4", "shortDescription": {"text": "pyopenssl: GHSA-5pwr-322w-8jr4"}, "fullDescription": {"text": "pyOpenSSL DTLS cookie callback buffer overflow"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jr27-m4p2-rc6r", "name": "pyasn1: GHSA-jr27-m4p2-rc6r", "shortDescription": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "fullDescription": {"text": "Denial of Service in pyasn1 via Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-63vm-454h-vhhq", "name": "pyasn1: GHSA-63vm-454h-vhhq", "shortDescription": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "fullDescription": {"text": "pyasn1 has a DoS vulnerability in decoder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gcm-g887-7qv7", "name": "protobuf: GHSA-7gcm-g887-7qv7", "shortDescription": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "fullDescription": {"text": "protobuf affected by a JSON recursion depth bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2h4p-vjrc-8xpq", "name": "mako: GHSA-2h4p-vjrc-8xpq", "shortDescription": {"text": "mako: GHSA-2h4p-vjrc-8xpq"}, "fullDescription": {"text": "Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-88", "name": "mako: PYSEC-2026-88", "shortDescription": {"text": "mako: PYSEC-2026-88"}, "fullDescription": {"text": "Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6ph-v2qm-q3c2", "name": "cryptography: GHSA-r6ph-v2qm-q3c2", "shortDescription": {"text": "cryptography: GHSA-r6ph-v2qm-q3c2"}, "fullDescription": {"text": "cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-36", "name": "cryptography: PYSEC-2026-36", "shortDescription": {"text": "cryptography: PYSEC-2026-36"}, "fullDescription": {"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-35", "name": "cryptography: PYSEC-2026-35", "shortDescription": {"text": "cryptography: PYSEC-2026-35"}, "fullDescription": {"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-25", "name": "authlib: PYSEC-2026-25", "shortDescription": {"text": "authlib: PYSEC-2026-25"}, "fullDescription": {"text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth.  This vulnerability is fixed in 1.6.11."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-188", "name": "authlib: PYSEC-2026-188", "shortDescription": {"text": "authlib: PYSEC-2026-188"}, "fullDescription": {"text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED020", "name": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / s", "shortDescription": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:24-bookworm-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:24-bookworm-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:24-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `registry:2` unpinned", "shortDescription": {"text": "Workflow container/services image `registry:2` unpinned"}, "fullDescription": {"text": "`container/services image: registry:2` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_raises_when_auth_url_missing", "shortDescription": {"text": "Phantom test coverage: test_raises_when_auth_url_missing"}, "fullDescription": {"text": "Test function `test_raises_when_auth_url_missing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.send_response` used but never assigned in __init__", "shortDescription": {"text": "`self.send_response` used but never assigned in __init__"}, "fullDescription": {"text": "Method `do_GET` of class `RequestRecordingHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-f4j7-r4q5-qw2c", "name": "chromadb: GHSA-f4j7-r4q5-qw2c", "shortDescription": {"text": "chromadb: GHSA-f4j7-r4q5-qw2c"}, "fullDescription": {"text": "ChromaDB Python project has a pre-authentication code injection vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rg7c-g689-fr3x", "name": "google-adk: GHSA-rg7c-g689-fr3x", "shortDescription": {"text": "google-adk: GHSA-rg7c-g689-fr3x"}, "fullDescription": {"text": "Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wvwj-cvrp-7pv5", "name": "authlib: GHSA-wvwj-cvrp-7pv5", "shortDescription": {"text": "authlib: GHSA-wvwj-cvrp-7pv5"}, "fullDescription": {"text": "Authlib JWS JWK Header Injection: Signature Verification Bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "kubernetes-secret-yaml", "name": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments", "shortDescription": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC099", "name": "[SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body", "shortDescription": {"text": "[SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker."}, "fullDescription": {"text": "Use jwt.decode(token, key, algorithms=[...]) without options={'verify_signature': False}. If you genuinely need to peek without verifying (rare \u2014 e.g. logging the kid before fetching the key), use jwt.get_unverified_header() instead and clearly comment."}, "properties": {"scanner": "repobility-threat-engine", "category": "auth", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1040"}, "properties": {"repository": "kagent-dev/kagent", "repoUrl": "https://github.com/kagent-dev/kagent", "branch": "main"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a2a-sandboxes/:namespace/:agentName."}, "properties": {"repobilityId": 102293, "scanner": "repobility-access-control", "fingerprint": "ff4cde8736a418350a948b773b7c47ae204c7dea2cf8ffd005f0695dfbda7547", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/a2a-sandboxes/:namespace/:agentName", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|ui/src/app/a2a-sandboxes/ namespace / agentname /route.ts|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a-sandboxes/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a2a/:namespace/:agentName."}, "properties": {"repobilityId": 102292, "scanner": "repobility-access-control", "fingerprint": "b4af09242c16969f221119d86770786d224abb21368cf28bb88d7bf932ea00a1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/a2a/:namespace/:agentName", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|ui/src/app/a2a/ namespace / agentname /route.ts|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 102291, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 2, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 102290, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-4gg8-gxpx-9rph", "level": "warning", "message": {"text": "uv: GHSA-4gg8-gxpx-9rph"}, "properties": {"repobilityId": 102288, "scanner": "osv-scanner", "fingerprint": "b46b27d2243889a8f28bf7ad36ff3833585499cdc330a7e6c6e63a2f7118c540", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "uv", "rule_id": "GHSA-4gg8-gxpx-9rph", "scanner": "osv-scanner", "correlation_key": "vuln|uv|GHSA-4GG8-GXPX-9RPH|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r73j-pqj5-w3x7", "level": "warning", "message": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "properties": {"repobilityId": 102279, "scanner": "osv-scanner", "fingerprint": "390d36ba8a26c990c8515def5598dd7f128079db2742ff647a2f425816cd3c1f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42310", "CVE-2026-42310"], "package": "pillow", "rule_id": "GHSA-r73j-pqj5-w3x7", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42310|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5xmw-vc9v-4wf2", "level": "warning", "message": {"text": "pillow: GHSA-5xmw-vc9v-4wf2"}, "properties": {"repobilityId": 102276, "scanner": "osv-scanner", "fingerprint": "6d1ad3331f00269e9798406cdc4c2e6c272475b2027e6bfdf0b50cd3f0624653", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42309", "CVE-2026-42309"], "package": "pillow", "rule_id": "GHSA-5xmw-vc9v-4wf2", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42309|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v34v-rq6j-cj6p", "level": "warning", "message": {"text": "langsmith: GHSA-v34v-rq6j-cj6p"}, "properties": {"repobilityId": 102272, "scanner": "osv-scanner", "fingerprint": "fc7a5fcdf4503bbde97d3eb460371e496b113d43bb9f0e095df061cb79a31a98", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25528"], "package": "langsmith", "rule_id": "GHSA-v34v-rq6j-cj6p", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-25528|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rr7j-v2q5-chgv", "level": "warning", "message": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "properties": {"repobilityId": 102271, "scanner": "osv-scanner", "fingerprint": "01646333a4f1d4aaf579fb1a0bb4b2b1b0317e7fed0bc99615226182dd1136cb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41182"], "package": "langsmith", "rule_id": "GHSA-rr7j-v2q5-chgv", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-41182|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 102269, "scanner": "osv-scanner", "fingerprint": "4ec3fdab49baecb8c29cd9730501b65f1422cdca399d7a977dac434d03f370e2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w8v5-vhqr-4h9v", "level": "warning", "message": {"text": "diskcache: GHSA-w8v5-vhqr-4h9v"}, "properties": {"repobilityId": 102268, "scanner": "osv-scanner", "fingerprint": "c840e0e6232e376bf5fdcde492221380c7d20fb4fd2f443bf42dc8288b4c1332", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69872"], "package": "diskcache", "rule_id": "GHSA-w8v5-vhqr-4h9v", "scanner": "osv-scanner", "correlation_key": "vuln|diskcache|CVE-2025-69872|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 102265, "scanner": "osv-scanner", "fingerprint": "caf18dc219683946d7f81d1c9b319803d631ae4c08bb30c1f20ccc5984297e3a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 102264, "scanner": "osv-scanner", "fingerprint": "7174fba5a8baa2f98c6ed48ce704c0563514469058719fac258da55ab059affc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g7f3-828f-7h7m", "level": "warning", "message": {"text": "authlib: GHSA-g7f3-828f-7h7m"}, "properties": {"repobilityId": 102255, "scanner": "osv-scanner", "fingerprint": "ed8ffc85bfb7fb52203cdf8f6fcd4d5632a177596f876f755bbcfaebf1f2c6c6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62706"], "package": "authlib", "rule_id": "GHSA-g7f3-828f-7h7m", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2025-62706|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fg6f-75jq-6523", "level": "warning", "message": {"text": "authlib: GHSA-fg6f-75jq-6523"}, "properties": {"repobilityId": 102254, "scanner": "osv-scanner", "fingerprint": "c45c35388866bc3b0bb558dae978c0f4ac947d72d1ac2b355b8cf83e09a849b3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68158"], "package": "authlib", "rule_id": "GHSA-fg6f-75jq-6523", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2025-68158|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 102209, "scanner": "osv-scanner", "fingerprint": "c36a654dcf585cddd2a42e13a3cd5854e39ed34b9d71351b4fca02fcd0b478d0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-gc5v-m9x4-r6x2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8f85af21ad28fc5d2bdb85360af63e1a36e9886ac714228642b5b6cce1f0b818", "c36a654dcf585cddd2a42e13a3cd5854e39ed34b9d71351b4fca02fcd0b478d0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mj87-hwqh-73pj", "level": "warning", "message": {"text": "python-multipart: GHSA-mj87-hwqh-73pj"}, "properties": {"repobilityId": 102206, "scanner": "osv-scanner", "fingerprint": "cc9a978b5a1989606169a7318813e2c1f52718406946ae0af35dab012708b4fb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-40347"], "package": "python-multipart", "rule_id": "GHSA-mj87-hwqh-73pj", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-40347|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mj87-hwqh-73pj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1ea69b58e2887dd49e4b784ccbd78c4d9f81e378c1026c452d9e1d02ce500518", "cc9a978b5a1989606169a7318813e2c1f52718406946ae0af35dab012708b4fb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mf9w-mj56-hr94", "level": "warning", "message": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "properties": {"repobilityId": 102205, "scanner": "osv-scanner", "fingerprint": "0e9a4f78dcf00a5ee6bdadcf57a2e54a6e702a7cc806c203972ac3c148ff1926", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-28684"], "package": "python-dotenv", "rule_id": "GHSA-mf9w-mj56-hr94", "scanner": "osv-scanner", "correlation_key": "vuln|python-dotenv|CVE-2026-28684|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mf9w-mj56-hr94"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0e9a4f78dcf00a5ee6bdadcf57a2e54a6e702a7cc806c203972ac3c148ff1926", "641c6fa947e3461efc9aa52fcdcac2614fde1b51db0d120568fbdf65c39c473a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 102193, "scanner": "osv-scanner", "fingerprint": "4530352dff6153b4409f3c0da83d632105d1abbb3750f7013866ac48f171f088", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-65pc-fj4g-8rjx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4530352dff6153b4409f3c0da83d632105d1abbb3750f7013866ac48f171f088", "d0ffe270557f8d904872876fdfa6c6205a430d0fe54b5cc2cbc90bad89b31376"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 102187, "scanner": "osv-scanner", "fingerprint": "256e80aec3df39539af5319e6e0730722f427a8aef83d86c441525c8df0adf47", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 102186, "scanner": "osv-scanner", "fingerprint": "923b5d7530edf0ef423f464db292cc332b8cd96f46f550ebd7cdaf1339fed953", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102163, "scanner": "repobility-docker", "fingerprint": "df6372052787a120c5a023bf9c48d3495ce8b5b7574100679e17ee07a58efff1", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|df6372052787a120c5a023bf9c48d3495ce8b5b7574100679e17ee07a58efff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102161, "scanner": "repobility-docker", "fingerprint": "6a02f92fec613ab4c19db8405ec690e9ea1814d05ae254195e2b48276a80e829", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6a02f92fec613ab4c19db8405ec690e9ea1814d05ae254195e2b48276a80e829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/kebab/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102159, "scanner": "repobility-docker", "fingerprint": "c1dfef72eb7148219b110a1d23cae0d795e0299a7b2abab956f7ee85a602868a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c1dfef72eb7148219b110a1d23cae0d795e0299a7b2abab956f7ee85a602868a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/hitl-tools/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102157, "scanner": "repobility-docker", "fingerprint": "e1fa95b7b7064952ac1695d647fb82748e1540106c28e5a2d9c4b5020257da6b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e1fa95b7b7064952ac1695d647fb82748e1540106c28e5a2d9c4b5020257da6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/currency/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102155, "scanner": "repobility-docker", "fingerprint": "227a69ac00494fe17458fd1a06e8152503807b231d4cfcaec543fc19a7cfbfde", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|227a69ac00494fe17458fd1a06e8152503807b231d4cfcaec543fc19a7cfbfde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/research-crew/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102153, "scanner": "repobility-docker", "fingerprint": "5b01baec1df394f248a88fd711bfd788e7219eb802ab7f8050a4db285bd74146", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/astral-sh/uv:python3.13-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5b01baec1df394f248a88fd711bfd788e7219eb802ab7f8050a4db285bd74146"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/poem_flow/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102151, "scanner": "repobility-docker", "fingerprint": "5eaa4b43b5b46163a2f6bce74090969b55c61b057119d02336be10909e9c78e0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$DOCKER_REGISTRY/kagent-dev/kagent/kagent-adk:$VERSION", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5eaa4b43b5b46163a2f6bce74090969b55c61b057119d02336be10909e9c78e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102149, "scanner": "repobility-docker", "fingerprint": "e92e94d2904353631d78782af86b1d72ad1da68a0499c77511e309d5ba15e1aa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$DOCKER_REGISTRY/$DOCKER_REPO/kagent-adk:$KAGENT_ADK_VERSION", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e92e94d2904353631d78782af86b1d72ad1da68a0499c77511e309d5ba15e1aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile.app"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102147, "scanner": "repobility-docker", "fingerprint": "11b1e3d3bd2f5862034cc945ecaf123f1bf0b7c345639bbf9d35c3dcdb37d564", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python-os", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|11b1e3d3bd2f5862034cc945ecaf123f1bf0b7c345639bbf9d35c3dcdb37d564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102143, "scanner": "repobility-docker", "fingerprint": "515163f1b15792670b1ff51b77541b5d23ce150a97ff7f2f1cb4fe7482012e4d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$DOCKER_REGISTRY/$DOCKER_REPO/kagent-adk:$VERSION", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|515163f1b15792670b1ff51b77541b5d23ce150a97ff7f2f1cb4fe7482012e4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102138, "scanner": "repobility-docker", "fingerprint": "0c4893392def8e1a61018a433b2d9b4320761175b1b8a90f2b09287dce27ef9a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0c4893392def8e1a61018a433b2d9b4320761175b1b8a90f2b09287dce27ef9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/golang/templates/Dockerfile.tmpl"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 102137, "scanner": "repobility-docker", "fingerprint": "7b6207a6764c661e2cbb87b58791a9beb1d85d219eaf009aee16d7e20da47d87", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7b6207a6764c661e2cbb87b58791a9beb1d85d219eaf009aee16d7e20da47d87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/golang/templates/Dockerfile.tmpl"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102135, "scanner": "repobility-docker", "fingerprint": "3b9d7da3aaf113734ee0b3d2c80cb2bcba26086432b241a08e9a0872b3ac3749", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3b9d7da3aaf113734ee0b3d2c80cb2bcba26086432b241a08e9a0872b3ac3749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/mcp_server/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102132, "scanner": "repobility-docker", "fingerprint": "0aa84288cc56f311f70786cdf1aa406f1dfc2c159c4e46ed50d766a34c4fc607", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$DOCKER_REGISTRY/kagent-dev/kagent/kagent-adk:$VERSION", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0aa84288cc56f311f70786cdf1aa406f1dfc2c159c4e46ed50d766a34c4fc607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/Dockerfile.tmpl"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 102125, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102124, "scanner": "repobility-docker", "fingerprint": "6e3e7bafbd03dcfaa65d2f89e1f110d40250ba9445025e9d61413627cd2a7a17", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node-python-golang", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6e3e7bafbd03dcfaa65d2f89e1f110d40250ba9445025e9d61413627cd2a7a17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 102120, "scanner": "repobility-threat-engine", "fingerprint": "c06bb1a79b96107dfb9871f59b2b8aee4bb094062d6d12a2560241bb29888f97", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(twitterUrl, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|142|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/onboarding/OnboardingWizard.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 102113, "scanner": "repobility-threat-engine", "fingerprint": "2e7f85e6dcdace23a2a7c96034a22bd5ab622d7f19639524a318baf853804a4a", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = SSO_LOGOUT_PATH", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e7f85e6dcdace23a2a7c96034a22bd5ab622d7f19639524a318baf853804a4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/UserMenu.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 102097, "scanner": "repobility-threat-engine", "fingerprint": "e3978437b9816fc13d31776c71f693f094b937fa91341aa5e43745c95a8572a7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|38|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/basic_agent/agent.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 102095, "scanner": "repobility-threat-engine", "fingerprint": "8ce1cec1ccaa52f01be2b144911aca9d8652058ad95aec8e28d33f92160d6f5d", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logging.info(f\"Loading flow state from Kagent backend with params: {params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ce1cec1ccaa52f01be2b144911aca9d8652058ad95aec8e28d33f92160d6f5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-crewai/src/kagent/crewai/_state.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 102094, "scanner": "repobility-threat-engine", "fingerprint": "0a542569678e9b2e8de8f22f5ab18b0fc3c824d036c84fd939addc51db0353c5", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logging.debug(f\"Loading memory from Kagent backend with params: {params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a542569678e9b2e8de8f22f5ab18b0fc3c824d036c84fd939addc51db0353c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-crewai/src/kagent/crewai/_memory.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 102093, "scanner": "repobility-threat-engine", "fingerprint": "40ec38150c90e05de5f1674317a98dbddfc993bccce772549d569d2ad9506631", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify = False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|72|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_token_source.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 102092, "scanner": "repobility-threat-engine", "fingerprint": "7df7172d898057490ef26437fab3b541fd3a8aa1e391224339799710216816cf", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|178|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_ssl.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 102091, "scanner": "repobility-threat-engine", "fingerprint": "eba8f2b88e00d058d5a23c04c903ad3988d539c72a30270703addb6cb53b5f5a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def cancel(self, context: RequestContext, event_queue: EventQueue):\n        raise NotImplementedErro", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eba8f2b88e00d058d5a23c04c903ad3988d539c72a30270703addb6cb53b5f5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-crewai/src/kagent/crewai/_executor.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 102090, "scanner": "repobility-threat-engine", "fingerprint": "455a4681fc8dae5d2cffeda78fccdb4c6d2f2a2071f891505c67c8673df19435", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def list_sessions_sync(self, *, app_name: str, user_id: str) -> ListSessionsResponse:\n        raise", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|455a4681fc8dae5d2cffeda78fccdb4c6d2f2a2071f891505c67c8673df19435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_session_service.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 102089, "scanner": "repobility-threat-engine", "fingerprint": "a3594fa55acddaf86175b02e6c602803877d3fc4d99515d1011f1ecf2731f218", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_session", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|273|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-openai/src/kagent/openai/_session_service.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 102088, "scanner": "repobility-threat-engine", "fingerprint": "9c92b5ed3b3314b8667146b49a101c7627c319e5fddd15c0e38c4880953d4752", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_session", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|28|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_session_service.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 102066, "scanner": "repobility-threat-engine", "fingerprint": "6b7b05d62e579fdafa292124c7e52917a984b62d2d31d11b2f652c8819417aa5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"your-api-key-here\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b7b05d62e579fdafa292124c7e52917a984b62d2d31d11b2f652c8819417aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/cli/agent/utils.go"}, "region": {"startLine": 291}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 102049, "scanner": "repobility-threat-engine", "fingerprint": "0694cde1f85cef0012b42957ba15b528a4111293ebc8475f18c2dd542370fb76", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\t\tAddr:    addr,\n\t\t\tHandler: instrumentedHandler,\n\t\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0694cde1f85cef0012b42957ba15b528a4111293ebc8475f18c2dd542370fb76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/a2a/server/server.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 102030, "scanner": "repobility-agent-runtime", "fingerprint": "bedca4692ce92191c2a8e73358f1e218ec0ce828caeab90ea6fcd23ab84c0129", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|bedca4692ce92191c2a8e73358f1e218ec0ce828caeab90ea6fcd23ab84c0129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/AgentList.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102029, "scanner": "repobility-agent-runtime", "fingerprint": "30611cab46f1388082d40bef98b4ef696a0b1bff74c054bfa2d5ff45a6d60f69", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|30611cab46f1388082d40bef98b4ef696a0b1bff74c054bfa2d5ff45a6d60f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/basic_agent/agent.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102028, "scanner": "repobility-agent-runtime", "fingerprint": "d3441bfff605cede64b8e712fa2490dc93430b0a25658382a70054ef60321212", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d3441bfff605cede64b8e712fa2490dc93430b0a25658382a70054ef60321212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/kebab/kebab/cli.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102027, "scanner": "repobility-agent-runtime", "fingerprint": "d17e545e103c4bc2a4e1e96f5a760ddcb564be511f2f5cc20db2f0ca79a8d2ae", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d17e545e103c4bc2a4e1e96f5a760ddcb564be511f2f5cc20db2f0ca79a8d2ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/hitl-tools/hitl_tools/cli.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102026, "scanner": "repobility-agent-runtime", "fingerprint": "e0c97ccdc100ef669f340453f6aec824b823d09d2a1324d6beb62d925215cda7", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e0c97ccdc100ef669f340453f6aec824b823d09d2a1324d6beb62d925215cda7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/currency/currency/cli.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102025, "scanner": "repobility-agent-runtime", "fingerprint": "bbc95f0af939a9d0266b5da74e6ba017673544ca671f248c8d2659a7513f8b17", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bbc95f0af939a9d0266b5da74e6ba017673544ca671f248c8d2659a7513f8b17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/research-crew/src/research_crew/main.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102024, "scanner": "repobility-agent-runtime", "fingerprint": "39374e29d434e617d6f35aedb15b4975f32d45eaaa05429875353cd114584946", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|39374e29d434e617d6f35aedb15b4975f32d45eaaa05429875353cd114584946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/poem_flow/src/poem_flow/main.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102023, "scanner": "repobility-agent-runtime", "fingerprint": "33d0ac1b4fcd3ec6c1f67cca6acfb5f7c32703d05ab7b6349f288a9df252421a", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|33d0ac1b4fcd3ec6c1f67cca6acfb5f7c32703d05ab7b6349f288a9df252421a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/outputs/agent_with_scheduling_attributes.json"}, "region": {"startLine": 150}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102022, "scanner": "repobility-agent-runtime", "fingerprint": "89f0a5f865eb44a5bf16e3ef1e84c8aee345b70e8aa86f09260ff0745c33e845", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|89f0a5f865eb44a5bf16e3ef1e84c8aee345b70e8aa86f09260ff0745c33e845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/outputs/agent_with_http_toolserver.json"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102021, "scanner": "repobility-agent-runtime", "fingerprint": "51ada3a6c22324b9bf8cf8d0fb4d465efaa99af56591dc8a6c076876a4936e09", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|51ada3a6c22324b9bf8cf8d0fb4d465efaa99af56591dc8a6c076876a4936e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/scenario1/service-no-endpoint.yaml"}, "region": {"startLine": 65}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 102020, "scanner": "repobility-agent-runtime", "fingerprint": "d312e03253aafb8499ee86464f7ae6faf891e0933e9b5388afbaf73761001101", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d312e03253aafb8499ee86464f7ae6faf891e0933e9b5388afbaf73761001101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/scenario1/run.sh"}, "region": {"startLine": 197}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 102019, "scanner": "repobility-agent-runtime", "fingerprint": "76847df85c4a2b6be91cf389c43ebfeb918b46f384c55df0b347bc503f327861", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|76847df85c4a2b6be91cf389c43ebfeb918b46f384c55df0b347bc503f327861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/skills/kagent/references/cli-reference.md"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `js-yaml` is 1 major version(s) behind (3.14.2 -> 4.2.0)"}, "properties": {"repobilityId": 102018, "scanner": "repobility-dependency-currency", "fingerprint": "00439140578ad33cde10a8708f7de5e99890ed120b3e9bca13409e70e13da5d5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "js-yaml", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|00439140578ad33cde10a8708f7de5e99890ed120b3e9bca13409e70e13da5d5", "current_version": "3.14.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chai` is 1 major version(s) behind (5.3.3 -> 6.2.2)"}, "properties": {"repobilityId": 102017, "scanner": "repobility-dependency-currency", "fingerprint": "de6f71c0cdb5651ea483c8770b9d94192e1fcc6e2dd62268f6c898434c14997d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.2", "correlation_key": "fp|de6f71c0cdb5651ea483c8770b9d94192e1fcc6e2dd62268f6c898434c14997d", "current_version": "5.3.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `uuid` is 3 major version(s) behind (11.1.0 -> 14.0.0)"}, "properties": {"repobilityId": 102014, "scanner": "repobility-dependency-currency", "fingerprint": "a188777e1600387ea8d96ff4f0d6fd1334c7fbcd82e38efba9497ac23ea5a962", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|a188777e1600387ea8d96ff4f0d6fd1334c7fbcd82e38efba9497ac23ea5a962", "current_version": "11.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101969, "scanner": "repobility-ast-engine", "fingerprint": "2f17025f695e2f7344d496b1bddce6c9f39fca3481e5e06e22ad809f7576b091", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f17025f695e2f7344d496b1bddce6c9f39fca3481e5e06e22ad809f7576b091"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/basic_agent/agent.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101968, "scanner": "repobility-ast-engine", "fingerprint": "cc52864e4b75545ba851459d78ce055b99cd66e25b0ac785b35a96c44a2aa3eb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc52864e4b75545ba851459d78ce055b99cd66e25b0ac785b35a96c44a2aa3eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-openai/src/kagent/openai/tools/_tools.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101967, "scanner": "repobility-ast-engine", "fingerprint": "8018ed8252f4e53cbd66a45ea9d43a5d5ddbdc11edb8b014eeb97679793eb451", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8018ed8252f4e53cbd66a45ea9d43a5d5ddbdc11edb8b014eeb97679793eb451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_ollama.py"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101966, "scanner": "repobility-ast-engine", "fingerprint": "999f2ff858c7cc70c62c508c1466f70c7f8045733b8fbd1afc7cb71abf92ef9b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|999f2ff858c7cc70c62c508c1466f70c7f8045733b8fbd1afc7cb71abf92ef9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_bedrock.py"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101965, "scanner": "repobility-ast-engine", "fingerprint": "c9efb790463cff5b27d09284687003487400928a25a605c9efb1765817c1cb6e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9efb790463cff5b27d09284687003487400928a25a605c9efb1765817c1cb6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_openai.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101964, "scanner": "repobility-ast-engine", "fingerprint": "c8de490aa441f01bc0ff4084971057c974213ffe55b614dafa064c71adbfb056", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8de490aa441f01bc0ff4084971057c974213ffe55b614dafa064c71adbfb056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_openai.py"}, "region": {"startLine": 599}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 101963, "scanner": "repobility-ast-engine", "fingerprint": "787160f0be1c253532eb8c76ede99f27fd50ae6413223c68e1e4bc461cb3d671", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|787160f0be1c253532eb8c76ede99f27fd50ae6413223c68e1e4bc461cb3d671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/sandbox_code_executer.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 102294, "scanner": "repobility-web-presence", "fingerprint": "2a273dc0e7697d04d0e02794306b5e87996c546fca82b7ea07f502f429ac24ca", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|2a273dc0e7697d04d0e02794306b5e87996c546fca82b7ea07f502f429ac24ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_code.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjjw-68hj-v9mw", "level": "note", "message": {"text": "uv: GHSA-pjjw-68hj-v9mw"}, "properties": {"repobilityId": 102289, "scanner": "osv-scanner", "fingerprint": "835e7485c8125138e36f3fb39e2dfa44d26686dea02d387f136ec146a48dc543", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "uv", "rule_id": "GHSA-pjjw-68hj-v9mw", "scanner": "osv-scanner", "correlation_key": "vuln|uv|GHSA-PJJW-68HJ-V9MW|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5239-wwwm-4pmq", "level": "note", "message": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "properties": {"repobilityId": 102282, "scanner": "osv-scanner", "fingerprint": "bc9da26965a064241d00374d774541bff60b678177dba1f8e361fa2e2f55207b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4539"], "package": "pygments", "rule_id": "GHSA-5239-wwwm-4pmq", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2026-4539|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vp96-hxj8-p424", "level": "note", "message": {"text": "pyopenssl: GHSA-vp96-hxj8-p424"}, "properties": {"repobilityId": 102204, "scanner": "osv-scanner", "fingerprint": "3dd1338cc01d59d0dd7fd919e976eac16811d6880800e35eaa13e10f1e5171bb", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27448"], "package": "pyopenssl", "rule_id": "GHSA-vp96-hxj8-p424", "scanner": "osv-scanner", "correlation_key": "vuln|pyopenssl|CVE-2026-27448|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102162, "scanner": "repobility-docker", "fingerprint": "495f6a25ab0abe8b64753563f3199f72843b60355f9d664bd6aa22f4e911bed5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|495f6a25ab0abe8b64753563f3199f72843b60355f9d664bd6aa22f4e911bed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102160, "scanner": "repobility-docker", "fingerprint": "983852e968d5c82d6706cc12ecc1a762016699d9e49deea6c0bc001159b4ac19", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|983852e968d5c82d6706cc12ecc1a762016699d9e49deea6c0bc001159b4ac19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/kebab/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102158, "scanner": "repobility-docker", "fingerprint": "1852d21f3b13e65a948e47038383d6269e31123c076ecc8d8802a4158a42b92a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1852d21f3b13e65a948e47038383d6269e31123c076ecc8d8802a4158a42b92a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/hitl-tools/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102156, "scanner": "repobility-docker", "fingerprint": "6af5cd0e63d1e27de5c814d64786033749c62dd308e5980e61dc3eb116ede7fa", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6af5cd0e63d1e27de5c814d64786033749c62dd308e5980e61dc3eb116ede7fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/currency/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102154, "scanner": "repobility-docker", "fingerprint": "be71f4c5ec73465a50e1b25037556c227a035013ac4dcc220dcf1ef457bf8c0f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|be71f4c5ec73465a50e1b25037556c227a035013ac4dcc220dcf1ef457bf8c0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/research-crew/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102152, "scanner": "repobility-docker", "fingerprint": "3312d7da8e9d5e1043bee917766c51bc35d4df227e2a5b0af95bd486701990c8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3312d7da8e9d5e1043bee917766c51bc35d4df227e2a5b0af95bd486701990c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/poem_flow/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102140, "scanner": "repobility-docker", "fingerprint": "5b9c07697e3d8b1501d449c87848e0888f03ef2fabf676c7c2a1359d0a04434d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5b9c07697e3d8b1501d449c87848e0888f03ef2fabf676c7c2a1359d0a04434d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/typescript/templates/Dockerfile.tmpl"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102139, "scanner": "repobility-docker", "fingerprint": "cd5242638d14867ca78c9d9f78f97b7a15a2f92db97efc28138722264608b4fa", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cd5242638d14867ca78c9d9f78f97b7a15a2f92db97efc28138722264608b4fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/python/templates/Dockerfile.tmpl"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102133, "scanner": "repobility-docker", "fingerprint": "0bbab41c0cf07d58ad71f1529fe8bb83bf2cd073f9e8a401b87821b3cda95b0f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0bbab41c0cf07d58ad71f1529fe8bb83bf2cd073f9e8a401b87821b3cda95b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/mcp_server/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 102118, "scanner": "repobility-threat-engine", "fingerprint": "2263d29010ba296a1ea55cca039a60f90fdeda756c77d8923bcf62ef131c4df6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|13|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/HTMLPreviewDialog.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `strip_confirmation_parts_callback` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=3, for=1, if=2, nested_bonus=1, or=1."}, "properties": {"repobilityId": 102085, "scanner": "repobility-threat-engine", "fingerprint": "bdbee0c7a5a0bd81d380550279b017003a8de1336a81d9bf2196eec47cb12e7f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "strip_confirmation_parts_callback", "breakdown": {"if": 2, "or": 1, "and": 3, "for": 1, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|bdbee0c7a5a0bd81d380550279b017003a8de1336a81d9bf2196eec47cb12e7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_approval.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `before_tool` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: if=4, nested_bonus=3, or=1, ternary=1."}, "properties": {"repobilityId": 102084, "scanner": "repobility-threat-engine", "fingerprint": "6db2d805474816ea5f14e0f85be0d96954547df868845daaeb933e21045b9851", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "before_tool", "breakdown": {"if": 4, "or": 1, "ternary": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|6db2d805474816ea5f14e0f85be0d96954547df868845daaeb933e21045b9851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_approval.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `fetch_well_known_configuration` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=3, if=3, nested_bonus=1."}, "properties": {"repobilityId": 102083, "scanner": "repobility-threat-engine", "fingerprint": "3161874b90e540c4152ddfbc4cd91b32499fbe4bef2f2c9eb279850439581ccb", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_well_known_configuration", "breakdown": {"if": 3, "else": 1, "except": 3, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|3161874b90e540c4152ddfbc4cd91b32499fbe4bef2f2c9eb279850439581ccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_utils.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 102047, "scanner": "repobility-threat-engine", "fingerprint": "86da92ad546ee3cb3fdfc5400e3603433a8b9a9670f616ec9b975fdd123c82ed", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86da92ad546ee3cb3fdfc5400e3603433a8b9a9670f616ec9b975fdd123c82ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/a2a/server/health.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 102046, "scanner": "repobility-threat-engine", "fingerprint": "764b1ccf2df0c231b307f2af5897db419b67e7c1eb5a511bb1c26dd9ffc0abd6", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = zapLogger.Sync(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|764b1ccf2df0c231b307f2af5897db419b67e7c1eb5a511bb1c26dd9ffc0abd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/examples/byo/main.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 102045, "scanner": "repobility-threat-engine", "fingerprint": "dfd5a65170de3d3ce3aa32b86e12134de1425fd62e6592a7dd5d6d9d0691b26b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = devConfig.Build(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dfd5a65170de3d3ce3aa32b86e12134de1425fd62e6592a7dd5d6d9d0691b26b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/cmd/main.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `postcss` is minor version(s) behind (8.4.31 -> 8.5.15)"}, "properties": {"repobilityId": 102015, "scanner": "repobility-dependency-currency", "fingerprint": "50e149b509e48857541bb805a2ea67217733f47f94f8133cc6671dde210f71b9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|50e149b509e48857541bb805a2ea67217733f47f94f8133cc6671dde210f71b9", "current_version": "8.4.31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101912, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f24412286103285831d0bdc3006a07dabffe3d755e97d70646f4b0bdbf3e940", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/modelproviderconfig_controller.go", "duplicate_line": 14, "correlation_key": "fp|3f24412286103285831d0bdc3006a07dabffe3d755e97d70646f4b0bdbf3e940"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/remote_mcp_server_controller.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101911, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69b2bd035b4cf553899a47382eaea20ba9e7dac4e4f73895644cca4bbb12a1ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/agent_controller.go", "duplicate_line": 1, "correlation_key": "fp|69b2bd035b4cf553899a47382eaea20ba9e7dac4e4f73895644cca4bbb12a1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/remote_mcp_server_controller.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101910, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81889b02083c3df882b0724a69e2a56f8367a7ca9931c4bafbb65ce825cd115b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/modelconfig_controller.go", "duplicate_line": 14, "correlation_key": "fp|81889b02083c3df882b0724a69e2a56f8367a7ca9931c4bafbb65ce825cd115b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/modelproviderconfig_controller.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101909, "scanner": "repobility-ai-code-hygiene", "fingerprint": "288c95d89a5d3a4d38f52090d1a9ff5bb52893ff1a50f7ecbb8e46ccae78f1c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/agent_controller.go", "duplicate_line": 1, "correlation_key": "fp|288c95d89a5d3a4d38f52090d1a9ff5bb52893ff1a50f7ecbb8e46ccae78f1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/modelproviderconfig_controller.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101908, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9bb05f8efb7ba79f640a8012c157caeac40c2f9a6beb3d84ff7017a1833860c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/agent_controller.go", "duplicate_line": 1, "correlation_key": "fp|e9bb05f8efb7ba79f640a8012c157caeac40c2f9a6beb3d84ff7017a1833860c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/modelconfig_controller.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101907, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee711167cdd8996d7486f664ebec165974edd43c3968192edbe334dd06c4efdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/agent_controller.go", "duplicate_line": 1, "correlation_key": "fp|ee711167cdd8996d7486f664ebec165974edd43c3968192edbe334dd06c4efdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/mcp_server_tool_controller.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101906, "scanner": "repobility-ai-code-hygiene", "fingerprint": "203a4009ef102d732726200a868d6e432ee7506c5dc6b43c840003a3acdd1a39", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/internal/controller/agentharness_openshell_controller.go", "duplicate_line": 48, "correlation_key": "fp|203a4009ef102d732726200a868d6e432ee7506c5dc6b43c840003a3acdd1a39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/agentharness_substrate_controller.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101905, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe5003b962b0ffc80aba8fe4c05a621d7c0541566bc9f46f0e08c6c92d263f34", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/cli/internal/mcp/frameworks/java/generator.go", "duplicate_line": 76, "correlation_key": "fp|fe5003b962b0ffc80aba8fe4c05a621d7c0541566bc9f46f0e08c6c92d263f34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/typescript/generator.go"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101904, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e92d843222c7cce8f887aacee7b487de8d56109664eafae95ccaac28ac74cca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/cli/internal/mcp/frameworks/python/generator.go", "duplicate_line": 5, "correlation_key": "fp|3e92d843222c7cce8f887aacee7b487de8d56109664eafae95ccaac28ac74cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/typescript/generator.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101903, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68e797777ce2f84f448adaf6864ffbba4fa9191c5ae7b81646724359368531ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/core/cli/internal/mcp/frameworks/java/generator.go", "duplicate_line": 76, "correlation_key": "fp|68e797777ce2f84f448adaf6864ffbba4fa9191c5ae7b81646724359368531ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/python/generator.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101902, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30f1870124ad15c4df6f85b38dab0a54be5ca8c788f1f09621002b152c538982", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/modelproviderconfig_types.go", "duplicate_line": 4, "correlation_key": "fp|30f1870124ad15c4df6f85b38dab0a54be5ca8c788f1f09621002b152c538982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/sandboxagent_types.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101901, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6d9ace09b175c1e0f01134e9cecbbb047ed9c3ce03f14d68a4c0046d18bddb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/groupversion_info.go", "duplicate_line": 2, "correlation_key": "fp|f6d9ace09b175c1e0f01134e9cecbbb047ed9c3ce03f14d68a4c0046d18bddb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/sandboxagent_types.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101900, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03d9c9a42d55ba905b6f69d1651e008e1dabcbd6db4a2605b5d0f7b077626ac3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|03d9c9a42d55ba905b6f69d1651e008e1dabcbd6db4a2605b5d0f7b077626ac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/sandboxagent_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101899, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e75da31410dfc2b1214ae7939b6457b4069bd81b68cc2407caa6364b0befddc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|9e75da31410dfc2b1214ae7939b6457b4069bd81b68cc2407caa6364b0befddc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/remotemcpserver_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101898, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b31ace6b39db8a1e18b8903f86f982cf74235e9616f53574349254d676ef275", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/groupversion_info.go", "duplicate_line": 2, "correlation_key": "fp|2b31ace6b39db8a1e18b8903f86f982cf74235e9616f53574349254d676ef275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/modelproviderconfig_types.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101897, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5186d8b576986ef0b17c8b506732541813158ce60594d8e92f74b77a7e2579d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|d5186d8b576986ef0b17c8b506732541813158ce60594d8e92f74b77a7e2579d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/modelproviderconfig_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d908d364efbcc5d62ae02a5a1c7b57c641932adf7b2a4612a7ce4f6636cf8d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/modelconfig_types.go", "duplicate_line": 13, "correlation_key": "fp|0d908d364efbcc5d62ae02a5a1c7b57c641932adf7b2a4612a7ce4f6636cf8d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/modelconfig_types.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32c7a7674a3c9d2b02427c9d4c657bdd12e5585d9c23ba75bb12bb3ffc08e1f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|32c7a7674a3c9d2b02427c9d4c657bdd12e5585d9c23ba75bb12bb3ffc08e1f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/modelconfig_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8308843a3020d713988a9c47dbfd059439e4ae013a65e7b6300781f37d187e46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|8308843a3020d713988a9c47dbfd059439e4ae013a65e7b6300781f37d187e46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/groupversion_info.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eaad5fad0d398178e71f27391b1cb48d1bc7c47dc0ba55c8075580a3bf6313b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha2/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|eaad5fad0d398178e71f27391b1cb48d1bc7c47dc0ba55c8075580a3bf6313b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/common_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef81264b0a43195c72824155d51ed3899c482fe3bddd9c4e422207b81dab1c0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 69, "correlation_key": "fp|ef81264b0a43195c72824155d51ed3899c482fe3bddd9c4e422207b81dab1c0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha2/agent_types.go"}, "region": {"startLine": 207}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1fd8e5b4d744a5192f0954dc1eb3beaf973aaa92c7d8ea2e6f62487f2313fff9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|1fd8e5b4d744a5192f0954dc1eb3beaf973aaa92c7d8ea2e6f62487f2313fff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/zz_generated.deepcopy.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd8eea84bc8fa9f2b7c4588df5300bf6f04a9c05afb67d19ba4af270e2d07307", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|bd8eea84bc8fa9f2b7c4588df5300bf6f04a9c05afb67d19ba4af270e2d07307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/toolserver_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4453f6bf46accd1dd3d4191d5291817a3bfc401fb94ea71dd2f2eebc9c51166b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/memory_types.go", "duplicate_line": 4, "correlation_key": "fp|4453f6bf46accd1dd3d4191d5291817a3bfc401fb94ea71dd2f2eebc9c51166b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/modelconfig_types.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f54a9c86a61bbd88d57edf8d9b21d605f1912e1e170f8f9321c7439a85afd56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/groupversion_info.go", "duplicate_line": 2, "correlation_key": "fp|6f54a9c86a61bbd88d57edf8d9b21d605f1912e1e170f8f9321c7439a85afd56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/modelconfig_types.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "497023fbd7514d70510860f439b711eeebd3ebb5849d2e9c34cf3ab232d97f8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|497023fbd7514d70510860f439b711eeebd3ebb5849d2e9c34cf3ab232d97f8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/modelconfig_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b173853c0472dbebb13dad6b61356cb7108bbf352ba921a05b44fd1cf0f5e6c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/groupversion_info.go", "duplicate_line": 2, "correlation_key": "fp|b173853c0472dbebb13dad6b61356cb7108bbf352ba921a05b44fd1cf0f5e6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/memory_types.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ba3e98d72b1a3a24f0c4585fd8d3fe7baebe4b6cd9dc51792170398da1cea29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|2ba3e98d72b1a3a24f0c4585fd8d3fe7baebe4b6cd9dc51792170398da1cea29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/memory_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c528f680b1443c1f26e23fd70e4538909e52da612cf7c8433e673d3d585e421", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/api/v1alpha1/agent_types.go", "duplicate_line": 1, "correlation_key": "fp|7c528f680b1443c1f26e23fd70e4538909e52da612cf7c8433e673d3d585e421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/v1alpha1/groupversion_info.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 101883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "912125cdc1a193cdb850074e2f48320ea7a47b10b60b5e90e27f8f3b338031e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "go/adk/pkg/models/bedrock.go", "duplicate_line": 263, "correlation_key": "fp|912125cdc1a193cdb850074e2f48320ea7a47b10b60b5e90e27f8f3b338031e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/ollama_adk.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102166, "scanner": "repobility-docker", "fingerprint": "33d29ef097af6e9f611387e65f271ee44e496066638aac0c410848d362790b7e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|33d29ef097af6e9f611387e65f271ee44e496066638aac0c410848d362790b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102164, "scanner": "repobility-docker", "fingerprint": "ab4b402d87959a2f3c0bd56a1382314019ade9da5167459a43fdb9ba26d74d18", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ab4b402d87959a2f3c0bd56a1382314019ade9da5167459a43fdb9ba26d74d18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102150, "scanner": "repobility-docker", "fingerprint": "aee5372608e7e7df8407db9c40f0d012a3d9b3b4d4e3a52d32ec9a07870f5a37", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$DOCKER_REGISTRY/kagent-dev/kagent/kagent-adk:$VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|aee5372608e7e7df8407db9c40f0d012a3d9b3b4d4e3a52d32ec9a07870f5a37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102148, "scanner": "repobility-docker", "fingerprint": "138031ea3f235db197eaf8faa94f51fa35a5672cd44da4f72fe9c1fea8b6b293", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$DOCKER_REGISTRY/$DOCKER_REPO/kagent-adk:$KAGENT_ADK_VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|138031ea3f235db197eaf8faa94f51fa35a5672cd44da4f72fe9c1fea8b6b293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile.app"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102146, "scanner": "repobility-docker", "fingerprint": "5fea76baf5781c479b3325a65dbaa7d90ee10fb154ff46e93ac600a19c25800c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5fea76baf5781c479b3325a65dbaa7d90ee10fb154ff46e93ac600a19c25800c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102145, "scanner": "repobility-docker", "fingerprint": "e239188d31e1d623d739d75cc49e5abba3cbbae036240b0823fa316b0badb60d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/astral-sh/uv:${UV_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e239188d31e1d623d739d75cc49e5abba3cbbae036240b0823fa316b0badb60d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102142, "scanner": "repobility-docker", "fingerprint": "bddec56903ba66b568ab0d72457b0b6ab91b33b5aa977da948dd60bf3bb7146c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$DOCKER_REGISTRY/$DOCKER_REPO/kagent-adk:$VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|bddec56903ba66b568ab0d72457b0b6ab91b33b5aa977da948dd60bf3bb7146c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102131, "scanner": "repobility-docker", "fingerprint": "5fae681eb16388511ed62b07ede2208047c38467126a6acc703cda0df439d165", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$DOCKER_REGISTRY/kagent-dev/kagent/kagent-adk:$VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5fae681eb16388511ed62b07ede2208047c38467126a6acc703cda0df439d165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/Dockerfile.tmpl"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102130, "scanner": "repobility-docker", "fingerprint": "08000b0d391ac6f65c2d473c28b8f99d368f47d58f49bf208ff6354484ed7a1c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|08000b0d391ac6f65c2d473c28b8f99d368f47d58f49bf208ff6354484ed7a1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/Dockerfile.full"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102129, "scanner": "repobility-docker", "fingerprint": "95250515bbfbdab31937715f74f685a3be5e2b761bb19e51d1bdeb52358e2e69", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|95250515bbfbdab31937715f74f685a3be5e2b761bb19e51d1bdeb52358e2e69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/Dockerfile.full"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102128, "scanner": "repobility-docker", "fingerprint": "8309c6d8077cc6b31e5e932061df6cbc7370c667f3f2299f0952b5254e3ed839", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/go:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8309c6d8077cc6b31e5e932061df6cbc7370c667f3f2299f0952b5254e3ed839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/Dockerfile.full"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102127, "scanner": "repobility-docker", "fingerprint": "74f1fcd8e0097362c59953df204d8511e257c7414f6349b35a52b3f1bc5a44fb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/go:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|74f1fcd8e0097362c59953df204d8511e257c7414f6349b35a52b3f1bc5a44fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102126, "scanner": "repobility-docker", "fingerprint": "feb4234743303006fb747f76544d2a49238d4a272ae29559137b1b64558bf3c8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE_REGISTRY/chainguard/go:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|feb4234743303006fb747f76544d2a49238d4a272ae29559137b1b64558bf3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/skills-init/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 102121, "scanner": "repobility-docker", "fingerprint": "56907fa6b55a71678fb267e74f65b0bd13f15fd22272a8e536ecf0c06e98b0b1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$DOCKER_REGISTRY/astral-sh/uv:${TOOLS_UV_VERSION}-debian-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|56907fa6b55a71678fb267e74f65b0bd13f15fd22272a8e536ecf0c06e98b0b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 102119, "scanner": "repobility-threat-engine", "fingerprint": "c122c540c206427549dbe62aaaf2a72cd4b346df5c268e966efbfb2e91d89bcf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c122c540c206427549dbe62aaaf2a72cd4b346df5c268e966efbfb2e91d89bcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/TruncatableText.stories.tsx"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 102117, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 102116, "scanner": "repobility-threat-engine", "fingerprint": "ea0e9ecb9517b155985639264c38d0418b524b8f89dde3bf35826c0b171c45ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea0e9ecb9517b155985639264c38d0418b524b8f89dde3bf35826c0b171c45ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/LLMCallModal.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 102115, "scanner": "repobility-threat-engine", "fingerprint": "03698cacae000f818b0ca0c3c7b9466a1d48d96cec077751d8b87d996cba150d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03698cacae000f818b0ca0c3c7b9466a1d48d96cec077751d8b87d996cba150d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/agent-form/ByoDeploymentFields.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 102114, "scanner": "repobility-threat-engine", "fingerprint": "23b73390f7bf9a3c43a9671bc3fa65902c6700fa24041745623524663326f5ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23b73390f7bf9a3c43a9671bc3fa65902c6700fa24041745623524663326f5ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/agent-form/AgentSkillsFormSection.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 102112, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 102111, "scanner": "repobility-threat-engine", "fingerprint": "9465e4d61fa7112f6249bd176dba0be5a830dd8cbcfb580ef2829622dbabe4cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9465e4d61fa7112f6249bd176dba0be5a830dd8cbcfb580ef2829622dbabe4cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/LLMCallModal.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 102110, "scanner": "repobility-threat-engine", "fingerprint": "ea19ea1897862bda3d1c3aa916ff183fba63ef8bc793ca6a682ade3a76934d1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea19ea1897862bda3d1c3aa916ff183fba63ef8bc793ca6a682ade3a76934d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/ChatLayoutUI.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 102109, "scanner": "repobility-threat-engine", "fingerprint": "bd42210900d094f1c79c371b8d0d17673c5ca406475ace1915a11082084cc1ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd42210900d094f1c79c371b8d0d17673c5ca406475ace1915a11082084cc1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/actions/sessions.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 102108, "scanner": "repobility-threat-engine", "fingerprint": "ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "aggregated_count": 16}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102107, "scanner": "repobility-threat-engine", "fingerprint": "8c395d74901fb2d00a2eefb9c147c73644c06c087aa3693b3a31e2de9c09f76f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c395d74901fb2d00a2eefb9c147c73644c06c087aa3693b3a31e2de9c09f76f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/actions/utils.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102106, "scanner": "repobility-threat-engine", "fingerprint": "a9b04fed7ee512fc908e5ebcf3fa864073268323468233126f6ce9ddc33a3183", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9b04fed7ee512fc908e5ebcf3fa864073268323468233126f6ce9ddc33a3183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102105, "scanner": "repobility-threat-engine", "fingerprint": "d1fb0c8c850bb7642df97794a30c27addb45eb9b29b9319c91f928908434725e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1fb0c8c850bb7642df97794a30c27addb45eb9b29b9319c91f928908434725e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a-sandboxes/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 102102, "scanner": "repobility-threat-engine", "fingerprint": "56de1d837920697df4c2abbc2843b8186d6e931342c15668d02f393437f57ed3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/public/mockServiceWorker.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 102101, "scanner": "repobility-threat-engine", "fingerprint": "d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "aggregated_count": 2}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 102100, "scanner": "repobility-threat-engine", "fingerprint": "48c4fa382516b5824d7665d0484169e4c45b9d54bf324c2469345b411f82ef38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48c4fa382516b5824d7665d0484169e4c45b9d54bf324c2469345b411f82ef38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 102099, "scanner": "repobility-threat-engine", "fingerprint": "f56b25e0c422c4c17c24fdbf496b658bdd825c8f2815b54972ed1aa6bbba5255", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f56b25e0c422c4c17c24fdbf496b658bdd825c8f2815b54972ed1aa6bbba5255"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a-sandboxes/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 102098, "scanner": "repobility-threat-engine", "fingerprint": "12edff5b4a1d656cd5dbeaa3b7c17f74691d091a4debc25548c5e35773cdd3dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12edff5b4a1d656cd5dbeaa3b7c17f74691d091a4debc25548c5e35773cdd3dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/jest.config.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 102086, "scanner": "repobility-threat-engine", "fingerprint": "e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_well_known_configuration", "breakdown": {"if": 3, "else": 1, "except": 3, "nested_bonus": 1}, "aggregated": true, "complexity": 8, "correlation_key": "fp|e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "aggregated_count": 36}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 102081, "scanner": "repobility-threat-engine", "fingerprint": "0e87fb84ca93ee29f593dc34b2e01034b2b11f7cd91040a7dfa844a7632b0d1e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0e87fb84ca93ee29f593dc34b2e01034b2b11f7cd91040a7dfa844a7632b0d1e", "aggregated_count": 6}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 102080, "scanner": "repobility-threat-engine", "fingerprint": "a478971039938ed0c198778433ece65ea6d3cc4c21bb44fd2f59ccea0f461ea1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a478971039938ed0c198778433ece65ea6d3cc4c21bb44fd2f59ccea0f461ea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/artifacts/session_path.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 102079, "scanner": "repobility-threat-engine", "fingerprint": "d911a34b279990d896fb05e5e42713f41eca6cdaea58e9b16ac771d4e1245996", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d911a34b279990d896fb05e5e42713f41eca6cdaea58e9b16ac771d4e1245996"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_session_service.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 102078, "scanner": "repobility-threat-engine", "fingerprint": "0bc654ae03b73d15aff2605601111184efd5b40c0c392e955a2294659ba06f8a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bc654ae03b73d15aff2605601111184efd5b40c0c392e955a2294659ba06f8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_exceptions.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 102071, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 102067, "scanner": "repobility-threat-engine", "fingerprint": "3484384774197e5b6a4121dc10bcc10f1014fb81e618afb8ac29a51006ac2a60", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3484384774197e5b6a4121dc10bcc10f1014fb81e618afb8ac29a51006ac2a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cmd/controller/main.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 102065, "scanner": "repobility-threat-engine", "fingerprint": "a92bfbfe9323f43c175afc257cc6d2f8ab7ffdfc52e91e27c7da2a42a7c6cbc6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a92bfbfe9323f43c175afc257cc6d2f8ab7ffdfc52e91e27c7da2a42a7c6cbc6"}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 102061, "scanner": "repobility-threat-engine", "fingerprint": "8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "aggregated_count": 9}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 102053, "scanner": "repobility-threat-engine", "fingerprint": "14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 102048, "scanner": "repobility-threat-engine", "fingerprint": "961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 102044, "scanner": "repobility-threat-engine", "fingerprint": "a890d6fb1bc1e523e976286f68faf975d3d50e2c404ee601f0c8000eb642094b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a890d6fb1bc1e523e976286f68faf975d3d50e2c404ee601f0c8000eb642094b", "aggregated_count": 8}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 102043, "scanner": "repobility-threat-engine", "fingerprint": "d32361a6b38dc4e799d98ab0223c582179b058e5ce7f7997fda89af63d0e05a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d32361a6b38dc4e799d98ab0223c582179b058e5ce7f7997fda89af63d0e05a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/a2a/server/server.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 102042, "scanner": "repobility-threat-engine", "fingerprint": "fee885999e18f9f51de151576c51830338d3392ebd6233cfaa19a1011ba61441", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fee885999e18f9f51de151576c51830338d3392ebd6233cfaa19a1011ba61441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/examples/oneshot/main.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 102041, "scanner": "repobility-threat-engine", "fingerprint": "ac9a5f877a0d62ca10c47158ef56c472f6034f18c9d1eeda6ec3943eafb0afed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac9a5f877a0d62ca10c47158ef56c472f6034f18c9d1eeda6ec3943eafb0afed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/cmd/main.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 102040, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 102036, "scanner": "repobility-threat-engine", "fingerprint": "6034ae12912f97ab7f85daf5d58925cc54d617c7ba2090be642605888a508e61", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6034ae12912f97ab7f85daf5d58925cc54d617c7ba2090be642605888a508e61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/chat/CodeBlock.stories.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 102035, "scanner": "repobility-threat-engine", "fingerprint": "3014b8db2221a17d3c61a1da372a0dc1c34e23b1f6160e7a51c5af78d2ee381c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3014b8db2221a17d3c61a1da372a0dc1c34e23b1f6160e7a51c5af78d2ee381c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/scenario1/run.sh"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 102034, "scanner": "repobility-threat-engine", "fingerprint": "582994a6dae18bcd18677307d6ee4ecebb96be8e40999d1b54f40e9bfa092e12", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|582994a6dae18bcd18677307d6ee4ecebb96be8e40999d1b54f40e9bfa092e12", "aggregated_count": 36}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102033, "scanner": "repobility-threat-engine", "fingerprint": "b08fb6d11b40b90c47e864f1af2a5c61966d20d52e0db86d7c07833512c2cbe1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b08fb6d11b40b90c47e864f1af2a5c61966d20d52e0db86d7c07833512c2cbe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/sts/utils.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102032, "scanner": "repobility-threat-engine", "fingerprint": "5262499b4620948a7e27a4b351a8745d1b95a81a78e18c4880f3494ec5e2846b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5262499b4620948a7e27a4b351a8745d1b95a81a78e18c4880f3494ec5e2846b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/scenario1/test.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102031, "scanner": "repobility-threat-engine", "fingerprint": "014072eb2b47620f752c933e52776ae02077d14bdb32c5cc64f962149f8fdd9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|014072eb2b47620f752c933e52776ae02077d14bdb32c5cc64f962149f8fdd9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/data/agent-framework/scenario1/run.sh"}, "region": {"startLine": 263}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `start-server-and-test` is patch version(s) behind (3.0.5 -> 3.0.8)"}, "properties": {"repobilityId": 102016, "scanner": "repobility-dependency-currency", "fingerprint": "43780855552508c80e908900d1198316a94cb3e9c5223b19cdb395943ecde53a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "start-server-and-test", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.8", "correlation_key": "fp|43780855552508c80e908900d1198316a94cb3e9c5223b19cdb395943ecde53a", "current_version": "3.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-slot` is patch version(s) behind (1.2.3 -> 1.2.4)"}, "properties": {"repobilityId": 102013, "scanner": "repobility-dependency-currency", "fingerprint": "d793b5dd011330aec112c0fdce0589db910781159893fcbc4fc7a4d81a5f927a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-slot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.4", "correlation_key": "fp|d793b5dd011330aec112c0fdce0589db910781159893fcbc4fc7a4d81a5f927a", "current_version": "1.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 102287, "scanner": "osv-scanner", "fingerprint": "0543a995417c91015c5546fd22ae31c243fa32e5e60b9f4ffd76f1bd71e8e1dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|python/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0543a995417c91015c5546fd22ae31c243fa32e5e60b9f4ffd76f1bd71e8e1dd", "d42b52c7a07dc41b6001709f8ee7fe529d0eae0ac25344068150ed955e3f2073"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 102286, "scanner": "osv-scanner", "fingerprint": "093397221457a09349bc9cd8275f39ead4097122388bea9a1ce1cd3c0b1c305f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 102285, "scanner": "osv-scanner", "fingerprint": "85c4a8a5031414bbf926198e5a1c0c30c57b1c9e69633f8d4eb1004e6afb7a75", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 102284, "scanner": "osv-scanner", "fingerprint": "2d39e68e1cbc9c778dcbb0f26360db57ee1da4ea30cc15996b92a7a86f0ebf01", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 102283, "scanner": "osv-scanner", "fingerprint": "50f619db442c6787e8e47e428a4fe0eb5f126da7d5a78e2c79bdd2ba855708e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-113", "level": "error", "message": {"text": "pyarrow: PYSEC-2026-113"}, "properties": {"repobilityId": 102281, "scanner": "osv-scanner", "fingerprint": "0e8106b152d1af68167e9016e79a8f3bd19bb9866d555040f8bed01eb7191356", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25087"], "package": "pyarrow", "rule_id": "PYSEC-2026-113", "scanner": "osv-scanner", "correlation_key": "vuln|pyarrow|CVE-2026-25087|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-whj4-6x5x-4v2j", "level": "error", "message": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "properties": {"repobilityId": 102280, "scanner": "osv-scanner", "fingerprint": "cf18a9e90058a331c8a181a45a40016783b8356adba44eb049a284164756e84c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-40192", "CVE-2026-40192"], "package": "pillow", "rule_id": "GHSA-whj4-6x5x-4v2j", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-40192|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pwv6-vv43-88gr", "level": "error", "message": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "properties": {"repobilityId": 102278, "scanner": "osv-scanner", "fingerprint": "237030e0c0cf480842dcc3dae445ba76d43529efaf8ac73fdebb9106d4b5d12e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42311", "CVE-2026-42311"], "package": "pillow", "rule_id": "GHSA-pwv6-vv43-88gr", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42311|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cfh3-3jmp-rvhc", "level": "error", "message": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "properties": {"repobilityId": 102277, "scanner": "osv-scanner", "fingerprint": "209ea28bcb9e303efbb953b412178bd551184d253afee1a249a859239db91aef", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-25990", "CVE-2026-25990"], "package": "pillow", "rule_id": "GHSA-cfh3-3jmp-rvhc", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-25990|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-165", "level": "error", "message": {"text": "pillow: PYSEC-2026-165"}, "properties": {"repobilityId": 102275, "scanner": "osv-scanner", "fingerprint": "e3f625a2eef040f07f3381ed8ca9bd18767bac8a26a4c309466b0184cf2d7b37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42308", "CVE-2026-42308", "GHSA-wjx4-4jcj-g98j"], "package": "pillow", "rule_id": "PYSEC-2026-165", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42308|python/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wjx4-4jcj-g98j", "PYSEC-2026-165"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["75c343066b8b7e1c03a5607fd7335e320de4cafe9dd99de4d7d2600e46bb8724", "e3f625a2eef040f07f3381ed8ca9bd18767bac8a26a4c309466b0184cf2d7b37"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-107", "level": "error", "message": {"text": "orjson: PYSEC-2026-107"}, "properties": {"repobilityId": 102274, "scanner": "osv-scanner", "fingerprint": "36399e1a804d28bd8749ff37e08dc22fa985cd5969c118ac24a692256d49df2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-67221", "GHSA-hx9q-6w63-j58v"], "package": "orjson", "rule_id": "PYSEC-2026-107", "scanner": "osv-scanner", "correlation_key": "vuln|orjson|CVE-2025-67221|python/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-hx9q-6w63-j58v", "PYSEC-2026-107"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["36399e1a804d28bd8749ff37e08dc22fa985cd5969c118ac24a692256d49df2f", "a87751dcf389d7e633cb9e3a8342d6d2c1393b9d29c5f9581ea87fdb37d4031f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-87", "level": "error", "message": {"text": "lxml: PYSEC-2026-87"}, "properties": {"repobilityId": 102273, "scanner": "osv-scanner", "fingerprint": "87828b1df598fd83b9222ade8efede697eaaf08771cc7e520204a9ad73cd259e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41066", "GHSA-vfmq-68hx-4jfw"], "package": "lxml", "rule_id": "PYSEC-2026-87", "scanner": "osv-scanner", "correlation_key": "vuln|lxml|CVE-2026-41066|python/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-vfmq-68hx-4jfw", "PYSEC-2026-87"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["51f1d74775d758cd016c32a011e80f011db0067b186b9ec9ba6b78a2c04124f7", "87828b1df598fd83b9222ade8efede697eaaf08771cc7e520204a9ad73cd259e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 102270, "scanner": "osv-scanner", "fingerprint": "1b128276d4317cd32f2f17bd357f2d6e577ed9817d92bf93980589674c015dbb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langsmith", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-45134|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3936-cmfr-pm3m", "level": "error", "message": {"text": "black: GHSA-3936-cmfr-pm3m"}, "properties": {"repobilityId": 102266, "scanner": "osv-scanner", "fingerprint": "a9197e24ac820306f6cbea8ea28d0fdc50ffd09bec5a12a5d78fbabde1231aa7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32274"], "package": "black", "rule_id": "GHSA-3936-cmfr-pm3m", "scanner": "osv-scanner", "correlation_key": "vuln|black|CVE-2026-32274|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7f5h-v6xp-fcq8", "level": "error", "message": {"text": "starlette: GHSA-7f5h-v6xp-fcq8"}, "properties": {"repobilityId": 102263, "scanner": "osv-scanner", "fingerprint": "c641fed9395007a44e5b7c50ad0f34b8824f54568cd8fe2b99b5466e53e55cc7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62727"], "package": "starlette", "rule_id": "GHSA-7f5h-v6xp-fcq8", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2025-62727|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9h52-p55h-vw2f", "level": "error", "message": {"text": "mcp: GHSA-9h52-p55h-vw2f"}, "properties": {"repobilityId": 102262, "scanner": "osv-scanner", "fingerprint": "3917d5d578df7d5d8301ac6e6b03ab87ebc3c0795d7148245cd517b3ca0b1796", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66416"], "package": "mcp", "rule_id": "GHSA-9h52-p55h-vw2f", "scanner": "osv-scanner", "correlation_key": "vuln|mcp|CVE-2025-66416|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh2j-26j7-9728", "level": "error", "message": {"text": "google-cloud-aiplatform: GHSA-wh2j-26j7-9728"}, "properties": {"repobilityId": 102261, "scanner": "osv-scanner", "fingerprint": "96d73aa9ad7c741da4d7e1ed2bb0e8b6f0cad62800850d494d04087c0732aa44", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2473"], "package": "google-cloud-aiplatform", "rule_id": "GHSA-wh2j-26j7-9728", "scanner": "osv-scanner", "correlation_key": "vuln|google-cloud-aiplatform|CVE-2026-2473|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qv8j-hgpc-vrq8", "level": "error", "message": {"text": "google-cloud-aiplatform: GHSA-qv8j-hgpc-vrq8"}, "properties": {"repobilityId": 102260, "scanner": "osv-scanner", "fingerprint": "b94471e37267e4135e34804a18cc0dc51b6396cd86d1c5a48dc1922afc949afc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2472"], "package": "google-cloud-aiplatform", "rule_id": "GHSA-qv8j-hgpc-vrq8", "scanner": "osv-scanner", "correlation_key": "vuln|google-cloud-aiplatform|CVE-2026-2472|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pq5p-34cr-23v9", "level": "error", "message": {"text": "authlib: GHSA-pq5p-34cr-23v9"}, "properties": {"repobilityId": 102257, "scanner": "osv-scanner", "fingerprint": "90fda29869bfaf39aff4b0a3f928a78d8fd3d9acd5cc5a6dd196a92b29758d19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-61920"], "package": "authlib", "rule_id": "GHSA-pq5p-34cr-23v9", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2025-61920|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m344-f55w-2m6j", "level": "error", "message": {"text": "authlib: GHSA-m344-f55w-2m6j"}, "properties": {"repobilityId": 102256, "scanner": "osv-scanner", "fingerprint": "7783df7248f2b8c6e08deddee27663751880705e193a8231a0b8d05d74d16a58", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28498"], "package": "authlib", "rule_id": "GHSA-m344-f55w-2m6j", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-28498|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7432-952r-cw78", "level": "error", "message": {"text": "authlib: GHSA-7432-952r-cw78"}, "properties": {"repobilityId": 102253, "scanner": "osv-scanner", "fingerprint": "64d34a253714615db58c7a46f304f293d630d807a0f774d2b88ea51982f7fd86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28490"], "package": "authlib", "rule_id": "GHSA-7432-952r-cw78", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-28490|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5039", "level": "error", "message": {"text": "stdlib: GO-2026-5039"}, "properties": {"repobilityId": 102252, "scanner": "osv-scanner", "fingerprint": "4e25d1c38e679bd2a3a2b6c3183a550cc5c3ac27f21fd52fdf08704f70986cec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42507", "CVE-2026-42507"], "package": "stdlib", "rule_id": "GO-2026-5039", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42507|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5038", "level": "error", "message": {"text": "stdlib: GO-2026-5038"}, "properties": {"repobilityId": 102251, "scanner": "osv-scanner", "fingerprint": "117a9005823b5b17bb9659def80a0d295877bcd47ed4cfc64012510e1bb9b456", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42504", "CVE-2026-42504"], "package": "stdlib", "rule_id": "GO-2026-5038", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42504|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5037", "level": "error", "message": {"text": "stdlib: GO-2026-5037"}, "properties": {"repobilityId": 102250, "scanner": "osv-scanner", "fingerprint": "408b1a8515d530cd07b437172dd7fc370e9ef7ea8c2c895a62c8762b29d3b363", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27145", "CVE-2026-27145"], "package": "stdlib", "rule_id": "GO-2026-5037", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27145|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4986", "level": "error", "message": {"text": "stdlib: GO-2026-4986"}, "properties": {"repobilityId": 102249, "scanner": "osv-scanner", "fingerprint": "d5fb844854276fd1757d19c44e6e2633f4c91648a665da1425b5237acd978b48", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39820", "CVE-2026-39820"], "package": "stdlib", "rule_id": "GO-2026-4986", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39820|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4982", "level": "error", "message": {"text": "stdlib: GO-2026-4982"}, "properties": {"repobilityId": 102248, "scanner": "osv-scanner", "fingerprint": "c01d004aa5b1ec5632a420eb71f869d2f0b8f9076e0f2a055dea3bdef59b9224", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39823", "CVE-2026-39823"], "package": "stdlib", "rule_id": "GO-2026-4982", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39823|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4981", "level": "error", "message": {"text": "stdlib: GO-2026-4981"}, "properties": {"repobilityId": 102247, "scanner": "osv-scanner", "fingerprint": "d616874ec6a8eec9646d2224d21684484add07020de25fd131ad9a8194e96073", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33811", "CVE-2026-33811"], "package": "stdlib", "rule_id": "GO-2026-4981", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33811|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4980", "level": "error", "message": {"text": "stdlib: GO-2026-4980"}, "properties": {"repobilityId": 102246, "scanner": "osv-scanner", "fingerprint": "753d3df79182d50e2b7be20929858fe8b01fb9185aa709f86bcd4a7488f3078f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39826", "CVE-2026-39826"], "package": "stdlib", "rule_id": "GO-2026-4980", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39826|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4977", "level": "error", "message": {"text": "stdlib: GO-2026-4977"}, "properties": {"repobilityId": 102245, "scanner": "osv-scanner", "fingerprint": "463a196fdfa237fe4fb112938ed6ad8cf4372c10d9b5ae40d454ba91e445cae7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42499", "CVE-2026-42499"], "package": "stdlib", "rule_id": "GO-2026-4977", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42499|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4976", "level": "error", "message": {"text": "stdlib: GO-2026-4976"}, "properties": {"repobilityId": 102244, "scanner": "osv-scanner", "fingerprint": "afaec3acf02c20e21ada86e4ec555750298e34f32197eb48b78857540f4d67d7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39825", "CVE-2026-39825"], "package": "stdlib", "rule_id": "GO-2026-4976", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39825|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4971", "level": "error", "message": {"text": "stdlib: GO-2026-4971"}, "properties": {"repobilityId": 102243, "scanner": "osv-scanner", "fingerprint": "d10863b3733f09f3c8df989c764d5400591b94e111d107e7c1b949a75a03609c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39836", "CVE-2026-39836"], "package": "stdlib", "rule_id": "GO-2026-4971", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39836|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "stdlib: GO-2026-4918"}, "properties": {"repobilityId": 102242, "scanner": "osv-scanner", "fingerprint": "6629383a778c752de6e7f58fde24fb00ce44623d634923abd9b230d7bc57cf18", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "stdlib", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33814|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5030", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5030"}, "properties": {"repobilityId": 102241, "scanner": "osv-scanner", "fingerprint": "54487eeb66ece25514caaea63588efaadd907174480dc2b2e3ed1ee835acab64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27136"], "package": "golang.org/x/net", "rule_id": "GO-2026-5030", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27136|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5029", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5029"}, "properties": {"repobilityId": 102240, "scanner": "osv-scanner", "fingerprint": "e40975564825918f1188dccdced37e987b1d73a97026928e34ea087ae49a9b38", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25681"], "package": "golang.org/x/net", "rule_id": "GO-2026-5029", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25681|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5028", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5028"}, "properties": {"repobilityId": 102239, "scanner": "osv-scanner", "fingerprint": "a91196ef08cb2fd34b523beda23854836d0e92caed866147528574cfbaad9f16", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25680"], "package": "golang.org/x/net", "rule_id": "GO-2026-5028", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25680|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5027", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5027"}, "properties": {"repobilityId": 102238, "scanner": "osv-scanner", "fingerprint": "2c281129016594cd5ea9fc19c95e6b50858c2120f5a813231d5b6c38818f14db", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42502"], "package": "golang.org/x/net", "rule_id": "GO-2026-5027", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42502|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5026", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5026"}, "properties": {"repobilityId": 102237, "scanner": "osv-scanner", "fingerprint": "958754bb8c018485c470c33fda2e8de49c07e7f5c7e03384065089f9c5b5e8de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39821"], "package": "golang.org/x/net", "rule_id": "GO-2026-5026", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-39821|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5025", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5025"}, "properties": {"repobilityId": 102236, "scanner": "osv-scanner", "fingerprint": "cb4f37393ccfbacd1d53f9cefff56e5a64637ddffefce3b27b8aa9813e7322ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42506"], "package": "golang.org/x/net", "rule_id": "GO-2026-5025", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42506|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5033", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5033"}, "properties": {"repobilityId": 102235, "scanner": "osv-scanner", "fingerprint": "7e1311369772a8897521445d76bbe0b3c7362e68308c4f2141f28fb3ff2a1e90", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46598"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5033", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46598|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5023", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5023"}, "properties": {"repobilityId": 102234, "scanner": "osv-scanner", "fingerprint": "f69b3f75aae641e89b2470321d834acf04c2fcbef1d8e5826273663852896aa5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46595"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5023", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46595|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5021", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5021"}, "properties": {"repobilityId": 102233, "scanner": "osv-scanner", "fingerprint": "c5e5bb88f89a1070fd68767b6658b7bb31a36c85bbce733bddf1725f40243d91", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42508"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5021", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-42508|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5020", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5020"}, "properties": {"repobilityId": 102232, "scanner": "osv-scanner", "fingerprint": "bec409334b8c52597d01ffae9474a0cc155caba7b6f6bbbf57427f6223eccbd8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39834"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5020", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39834|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5019", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5019"}, "properties": {"repobilityId": 102231, "scanner": "osv-scanner", "fingerprint": "adb0e0411cc869155537056172131daea22490917dc7e6721c83e3bafb9ae8b9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39831"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5019", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39831|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5018", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5018"}, "properties": {"repobilityId": 102230, "scanner": "osv-scanner", "fingerprint": "1198fda3bc35dc2d87ca60558be7ef77dc595482c456263bcfd650eaacc462c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39829"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5018", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39829|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5017", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5017"}, "properties": {"repobilityId": 102229, "scanner": "osv-scanner", "fingerprint": "5fdb1806428228d35b7172ed319f7f067f81871df663ccb2720d15218d78abbb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39830"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5017", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39830|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5016", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5016"}, "properties": {"repobilityId": 102228, "scanner": "osv-scanner", "fingerprint": "e93b9b6aa4c34908751b15c7fb4662b2085e06f9fd8d8c75c611fb151a89e4ba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39827"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5016", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39827|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5015", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5015"}, "properties": {"repobilityId": 102227, "scanner": "osv-scanner", "fingerprint": "f792fa693c05e32021aa9e33d3bab82b78a255d5a3ba89c95d19822ca0983490", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39835"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5015", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39835|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5014", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5014"}, "properties": {"repobilityId": 102226, "scanner": "osv-scanner", "fingerprint": "7cf3cc8a9bd41ed5f44d52af92985eec11012fa429caaeeca5a6dd4a41891b28", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39828"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5014", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39828|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5013", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5013"}, "properties": {"repobilityId": 102225, "scanner": "osv-scanner", "fingerprint": "0817522c2cf2ded29ac574e5e6a259c111c6849f17c705407b02660a3a1747e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46597"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5013", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46597|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5006", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5006"}, "properties": {"repobilityId": 102224, "scanner": "osv-scanner", "fingerprint": "079dadb059556ae6100c253b1c36eac774962df82ad5c00a0a2848b86c82b139", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39832"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5006", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39832|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5005", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5005"}, "properties": {"repobilityId": 102223, "scanner": "osv-scanner", "fingerprint": "0b23e51a348a52718c04f660f944493d1ebce8c5e7fe1970e25c7b42f95bcb5c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39833"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5005", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39833|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4251", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-4251"}, "properties": {"repobilityId": 102222, "scanner": "osv-scanner", "fingerprint": "91d3f75c22b4201829b8a5b7f09f9631ece639933680244a7007cda01b5e8525", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-63389", "GHSA-f6mr-38g8-39rg"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-4251", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-63389|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3824", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3824"}, "properties": {"repobilityId": 102221, "scanner": "osv-scanner", "fingerprint": "f20d25d581a74ed1cf2db9ac3344f59bdb75bdce56204a33fe6a5290b78df1ba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-51471", "GHSA-x9hg-5q6g-q3jr", "PYSEC-2025-147"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3824", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-51471|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3695", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3695"}, "properties": {"repobilityId": 102220, "scanner": "osv-scanner", "fingerprint": "286c07710df9bf096d6b48a26a1e820d8957ce01ea774b99af2279a81a46f467", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-1975", "GHSA-wrh5-cmwx-q2qr", "PYSEC-2025-145"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3695", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-1975|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3689", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3689"}, "properties": {"repobilityId": 102219, "scanner": "osv-scanner", "fingerprint": "2b25300e1f48af9e79d27899b69491ac32d0e9a19e4ea045d117d8992cdc8192", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-8063", "GHSA-2xf2-gjm6-g2c6", "PYSEC-2025-144"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3689", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2024-8063|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3582", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3582"}, "properties": {"repobilityId": 102218, "scanner": "osv-scanner", "fingerprint": "3a3a0a1538f057b339f4159f61ba51137a1642d1b32ed17e73417e36ccc65f89", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-0312", "GHSA-p2wh-w96x-w232"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3582", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-0312|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3559", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3559"}, "properties": {"repobilityId": 102217, "scanner": "osv-scanner", "fingerprint": "fff8c0d6530c6d9d684a5ca6aeb24a05cd6f236d3d480ee07eb2d765d2534dbf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-0317", "GHSA-9gcr-28rp-cc24"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3559", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-0317|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3558", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3558"}, "properties": {"repobilityId": 102216, "scanner": "osv-scanner", "fingerprint": "376ef65d53a984259d26a6af362a16ab574eeff779cd75cf4efab4e1a1f9f89a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-12055", "GHSA-89qx-m49c-8crf"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3558", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2024-12055|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3557", "level": "error", "message": {"text": "github.com/ollama/ollama: GO-2025-3557"}, "properties": {"repobilityId": 102215, "scanner": "osv-scanner", "fingerprint": "1fc6e470a2e19b8f5b173f528e44c48311de8c97133833a335c8e481bfbbc5e0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-0315", "GHSA-fccc-8m69-8r78"], "package": "github.com/ollama/ollama", "rule_id": "GO-2025-3557", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/ollama/ollama|CVE-2025-0315|go/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 102214, "scanner": "osv-scanner", "fingerprint": "2588c2c92b3b5f3f7d94d61f5d3ba4be2b186c7b7c1b7f073b4dec715a64acc3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-gm62-xv2j-4w53"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0b994d94113518e89fbaff09da6d886c2d83c190ce0ef847cede19e16e7e1c60", "2588c2c92b3b5f3f7d94d61f5d3ba4be2b186c7b7c1b7f073b4dec715a64acc3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 102213, "scanner": "osv-scanner", "fingerprint": "d907717c255231c912c8c9a050d8ed75729686ccf59c8a8a599aebc2df7dbdbd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-38jv-5279-wg99"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["21e2bd3b8b018b3a16a03fdf4fa8dbb55995854c980039201a1e02a941c1bcc4", "d907717c255231c912c8c9a050d8ed75729686ccf59c8a8a599aebc2df7dbdbd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 102212, "scanner": "osv-scanner", "fingerprint": "bf8ce3147e94de1ee54524552368a49edba540cf4c10eef56c3fe9f2398b21b5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2xpw-w6gg-jr37"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["26413085d740811169f97ae7f06315a2cece21ba30e819811105a0f09ff460be", "bf8ce3147e94de1ee54524552368a49edba540cf4c10eef56c3fe9f2398b21b5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 102211, "scanner": "osv-scanner", "fingerprint": "5b5e477be5fe95c33cb67cbad79b69e446e690dea77f5f8eea57135dfd4e445d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["176a3a1f6d8e04cc34fef79145a38bcfa41350c85fe342da05b038f76e152a95", "2b7367d6e99b42b6b6e9cd1da14e378833993aa86d5c33b2c43dc50bde65b1fb", "3626e21716dd608b9bc66e7c6c734797a15c48176628c8b9f220defa949d44b2", "5b5e477be5fe95c33cb67cbad79b69e446e690dea77f5f8eea57135dfd4e445d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 102210, "scanner": "osv-scanner", "fingerprint": "e3765488529477d7f69930069900a96543be79c4e4fe5859c82e0be7939b2ebc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["17136a8e4e7c4cc2d2f75f2e0b2947eec7b9a2b07b044383cafb98d2952db367", "40196f29c685fc9ac8cc209726a279245318d5fd43311f36266133ec7b1dd404", "cde7989b959ec67643318014bf983be1407a52a5e48c24926d8ab62ec1cf70bf", "e3765488529477d7f69930069900a96543be79c4e4fe5859c82e0be7939b2ebc"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wp53-j4wj-2cfg", "level": "error", "message": {"text": "python-multipart: GHSA-wp53-j4wj-2cfg"}, "properties": {"repobilityId": 102208, "scanner": "osv-scanner", "fingerprint": "77364a3bee10eb2d1e657ebd51ddfd26d5179222742efe460eafc683df8f56f2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-24486"], "package": "python-multipart", "rule_id": "GHSA-wp53-j4wj-2cfg", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-24486|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wp53-j4wj-2cfg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["77364a3bee10eb2d1e657ebd51ddfd26d5179222742efe460eafc683df8f56f2", "d218e3adbe15976f56814d58f71dd8e8e4e52cb37962cf0a8e9a50aa6ae1b532"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pp6c-gr5w-3c5g", "level": "error", "message": {"text": "python-multipart: GHSA-pp6c-gr5w-3c5g"}, "properties": {"repobilityId": 102207, "scanner": "osv-scanner", "fingerprint": "bd25462db6cdd0698d3136f42bc0a58e366155cdd0fcd464c81ae7f53d22794e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42561"], "package": "python-multipart", "rule_id": "GHSA-pp6c-gr5w-3c5g", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-42561|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pp6c-gr5w-3c5g"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2f5f633e66e65803082756d1793a917d44ff1d995a68a3438c087b24454b4377", "bd25462db6cdd0698d3136f42bc0a58e366155cdd0fcd464c81ae7f53d22794e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5pwr-322w-8jr4", "level": "error", "message": {"text": "pyopenssl: GHSA-5pwr-322w-8jr4"}, "properties": {"repobilityId": 102203, "scanner": "osv-scanner", "fingerprint": "62b7854ca8b3aa8816bd37461d2c19bf3941ec0b2db822a744f6ea8d28c2fd6f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27459"], "package": "pyopenssl", "rule_id": "GHSA-5pwr-322w-8jr4", "scanner": "osv-scanner", "correlation_key": "vuln|pyopenssl|CVE-2026-27459|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 102202, "scanner": "osv-scanner", "fingerprint": "76e10867554a9abb2e2490dfda8833a25e778750f1c3200afb73faa0d8d7b5c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 102201, "scanner": "osv-scanner", "fingerprint": "9fe9e6a8e5d690342724ad5a1b400dab879aebab0f6a1dfc000fb419e833fdc9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 102200, "scanner": "osv-scanner", "fingerprint": "67ebb69d363bf2702a5744561af1b719946b17f4747088005b281b93c736f50f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 102199, "scanner": "osv-scanner", "fingerprint": "714e76377e3c44abe9673e333b04e2a3f050efa9979f5ded812d02913a2f2c0c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jr27-m4p2-rc6r", "level": "error", "message": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "properties": {"repobilityId": 102198, "scanner": "osv-scanner", "fingerprint": "56dc4cd219741bb87cc7a8eabff0fde826dfecf1ad26127d59768e6fc3939013", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-30922"], "package": "pyasn1", "rule_id": "GHSA-jr27-m4p2-rc6r", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-30922|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jr27-m4p2-rc6r"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["56dc4cd219741bb87cc7a8eabff0fde826dfecf1ad26127d59768e6fc3939013", "73d05acf75fd93892098390912f68e9d08100e23a3539bc7a0b6d52765f5b84f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-63vm-454h-vhhq", "level": "error", "message": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "properties": {"repobilityId": 102197, "scanner": "osv-scanner", "fingerprint": "666072f25b26c230bb15af76da54f1cd2058a68905e614209cb17dbae3e18310", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-23490"], "package": "pyasn1", "rule_id": "GHSA-63vm-454h-vhhq", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-23490|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-63vm-454h-vhhq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4a1528dfcb4f36c6cf75ab66650327daa160d442f1cea0e2a98eec5398a91b2d", "666072f25b26c230bb15af76da54f1cd2058a68905e614209cb17dbae3e18310"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gcm-g887-7qv7", "level": "error", "message": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "properties": {"repobilityId": 102196, "scanner": "osv-scanner", "fingerprint": "30bfbbcfbd4852b2193a8cf1cc25bfc83f526d390c036535895b9f816d410da6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-0994"], "package": "protobuf", "rule_id": "GHSA-7gcm-g887-7qv7", "scanner": "osv-scanner", "correlation_key": "vuln|protobuf|CVE-2026-0994|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-7gcm-g887-7qv7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["30bfbbcfbd4852b2193a8cf1cc25bfc83f526d390c036535895b9f816d410da6", "ffe9cee8b531061abd8dc4858604865882daf1aed5fdcfaf9524c41a4fa6cd59"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2h4p-vjrc-8xpq", "level": "error", "message": {"text": "mako: GHSA-2h4p-vjrc-8xpq"}, "properties": {"repobilityId": 102195, "scanner": "osv-scanner", "fingerprint": "7972f2d39e770877652f3181ad5b681052e50c6fd9363887ae039179c7f15137", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44307"], "package": "mako", "rule_id": "GHSA-2h4p-vjrc-8xpq", "scanner": "osv-scanner", "correlation_key": "vuln|mako|CVE-2026-44307|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-88", "level": "error", "message": {"text": "mako: PYSEC-2026-88"}, "properties": {"repobilityId": 102194, "scanner": "osv-scanner", "fingerprint": "99345e8992636695aeb3d2ec83deac6b586afbf56f4307e0f850dcbd58d3d3fb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41205", "GHSA-v92g-xgxw-vvmm"], "package": "mako", "rule_id": "PYSEC-2026-88", "scanner": "osv-scanner", "correlation_key": "vuln|mako|CVE-2026-41205|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v92g-xgxw-vvmm", "PYSEC-2026-88"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["814f05c3f3002f424b62b07bebf474ba32cecf8564d391e6cd83efcc40a73887", "99345e8992636695aeb3d2ec83deac6b586afbf56f4307e0f850dcbd58d3d3fb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6ph-v2qm-q3c2", "level": "error", "message": {"text": "cryptography: GHSA-r6ph-v2qm-q3c2"}, "properties": {"repobilityId": 102192, "scanner": "osv-scanner", "fingerprint": "aebd5203160fd6f28a78b0ff3a8f9565df8579197e4f1a497e3f3d926849c678", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26007"], "package": "cryptography", "rule_id": "GHSA-r6ph-v2qm-q3c2", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|CVE-2026-26007|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6ph-v2qm-q3c2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7d1507ff289e06e14452a4a527ad73372a28465cfc09cf079bf43e63f3e08291", "aebd5203160fd6f28a78b0ff3a8f9565df8579197e4f1a497e3f3d926849c678"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-36", "level": "error", "message": {"text": "cryptography: PYSEC-2026-36"}, "properties": {"repobilityId": 102191, "scanner": "osv-scanner", "fingerprint": "23df0eb4811554677e059ff7ad6d08adad6695e6d22277bd2c02a264cae1de6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-39892", "GHSA-p423-j2cm-9vmq"], "package": "cryptography", "rule_id": "PYSEC-2026-36", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|CVE-2026-39892|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-p423-j2cm-9vmq", "PYSEC-2026-36"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1cc8ffec3fddc9c03b0110e4d790680e6fcca7a694721799dbc78fcb65ab521c", "23df0eb4811554677e059ff7ad6d08adad6695e6d22277bd2c02a264cae1de6d", "7bafb3170ab4f5bc1a8e18558c977b9a4513371409eff72ea3b1b20cb683de1f", "b7d4528a584f0a0e59e7acc005f451fb6b93815ab45ccc522652a7182189c9a9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-35", "level": "error", "message": {"text": "cryptography: PYSEC-2026-35"}, "properties": {"repobilityId": 102190, "scanner": "osv-scanner", "fingerprint": "af083402b27f6a06eb4aca5340c2bc80fe54955db40885ca9d70ea9a2fd6f3f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34073", "GHSA-m959-cc7f-wv43"], "package": "cryptography", "rule_id": "PYSEC-2026-35", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|CVE-2026-34073|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-m959-cc7f-wv43", "PYSEC-2026-35"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4e4746c8e6c128dc21c938e0430d6684a0cf58b1bb74e3c3d1bace038bf1a5e0", "84148b342c157d5c6f1280a4a5ad18b0710cf7eaee69a47c269b3569a89ab65b", "af083402b27f6a06eb4aca5340c2bc80fe54955db40885ca9d70ea9a2fd6f3f8", "b1ff9b8fff504b1915e6f3bac60b033ca15d841d1dd96a36b7b03d97f74e256f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-25", "level": "error", "message": {"text": "authlib: PYSEC-2026-25"}, "properties": {"repobilityId": 102189, "scanner": "osv-scanner", "fingerprint": "aaa3a1fc40ff628d40f6a3fe222e785932d4f513f1e6e1f5539dd4bdd371ce89", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41425", "GHSA-jj8c-mmj3-mmgv"], "package": "authlib", "rule_id": "PYSEC-2026-25", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-41425|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-jj8c-mmj3-mmgv", "PYSEC-2026-25"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["162c793e7c0a13f8d2e08901da8e0a47265188f3f76a421409fa178555082966", "3a2e5e876f119c3b829f7715a1cb5adfea549a6634b553b860f01b0b011074df", "aaa3a1fc40ff628d40f6a3fe222e785932d4f513f1e6e1f5539dd4bdd371ce89", "ecfdb6a94b0088a8c1e5e7c755766c59696e123630672d0dbbe8055e755e39eb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-188", "level": "error", "message": {"text": "authlib: PYSEC-2026-188"}, "properties": {"repobilityId": 102188, "scanner": "osv-scanner", "fingerprint": "606aee95f3b204ee16adc0b42f689f9cda603f19afcbe6c5a65fbf4c6386e2c7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44681", "GHSA-r95x-qfjj-fjj2"], "package": "authlib", "rule_id": "PYSEC-2026-188", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-44681|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-r95x-qfjj-fjj2", "PYSEC-2026-188"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5044a0c808fe5421caafbb91ebecf4088e8a6707f6bc354fe92a1eaa1eadcaa7", "50b4ef0ca1a29ebbfd7c3c831a547df9337fcda6d12f530d2bf4643865668b49", "606aee95f3b204ee16adc0b42f689f9cda603f19afcbe6c5a65fbf4c6386e2c7", "6f9973172a53b18783d9583cb54e17a02df953f09888cf3dee77a244507120b8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/agents/kebab/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 102165, "scanner": "repobility-docker", "fingerprint": "4adbaca2b2164c5b8083b3e28a150ed0a927d38cdb05496381be60d1fcae351f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4adbaca2b2164c5b8083b3e28a150ed0a927d38cdb05496381be60d1fcae351f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 102144, "scanner": "repobility-docker", "fingerprint": "f5499bea1526a5e0bf9fa2bfe28b908985b2e8280f9002f3ea66397cc6e3163e", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f5499bea1526a5e0bf9fa2bfe28b908985b2e8280f9002f3ea66397cc6e3163e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/testdata/skills/kebab-maker/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 102141, "scanner": "repobility-docker", "fingerprint": "677a8aeb710ad80500863e4962d9522c0e78927899c4bce96aa70450ba9f981f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|677a8aeb710ad80500863e4962d9522c0e78927899c4bce96aa70450ba9f981f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/typescript/templates/Dockerfile.tmpl"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 102136, "scanner": "repobility-docker", "fingerprint": "dce50c83edd65fe1f0da331e1d5ca3dac23703110da48af43e806bff8ff92a6d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dce50c83edd65fe1f0da331e1d5ca3dac23703110da48af43e806bff8ff92a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/golang/templates/Dockerfile.tmpl"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 102134, "scanner": "repobility-docker", "fingerprint": "a22963714a8dbfd9c583ea5bb7894743333bc24e93d3b410bbe83866810891df", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a22963714a8dbfd9c583ea5bb7894743333bc24e93d3b410bbe83866810891df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/mcp_server/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 102123, "scanner": "repobility-docker", "fingerprint": "d3f31486d70d6fea349f57d1538a35a17a81e947296af3d7e2042da6d6bfb9e3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d3f31486d70d6fea349f57d1538a35a17a81e947296af3d7e2042da6d6bfb9e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 152}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 102122, "scanner": "repobility-docker", "fingerprint": "4cb1a71f3381ebdcdad7c131a56ff491c224df2091b91bbc23cd4a88bd856682", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4cb1a71f3381ebdcdad7c131a56ff491c224df2091b91bbc23cd4a88bd856682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 102104, "scanner": "repobility-threat-engine", "fingerprint": "4621aabe18a016fe9ee895386bdc39a43c6b4812910cee319b8ffdbc2ef140bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4621aabe18a016fe9ee895386bdc39a43c6b4812910cee319b8ffdbc2ef140bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 102103, "scanner": "repobility-threat-engine", "fingerprint": "9f4675e329c984aef27935eaa8b9747615d3c5a85a6c0478b42b1ba7bbcc37a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f4675e329c984aef27935eaa8b9747615d3c5a85a6c0478b42b1ba7bbcc37a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/a2a-sandboxes/[namespace]/[agentName]/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 102096, "scanner": "repobility-threat-engine", "fingerprint": "942026307fdc8121ad5c078f140c83dcceff5ec4c1cd7f1c47ca0254bab43015", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|942026307fdc8121ad5c078f140c83dcceff5ec4c1cd7f1c47ca0254bab43015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-langgraph/src/kagent/langgraph/_converters.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 102087, "scanner": "repobility-threat-engine", "fingerprint": "ac0e34ecb3f9cfa0fe6c043ae386332507a4888ece7d3eeda03bd82fb372fa36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac0e34ecb3f9cfa0fe6c043ae386332507a4888ece7d3eeda03bd82fb372fa36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_mcp_toolset.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 102077, "scanner": "repobility-threat-engine", "fingerprint": "abd8866298f68b870f7324b037ef20a005427b7dd27fed996ebdbb5c4ba9a595", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abd8866298f68b870f7324b037ef20a005427b7dd27fed996ebdbb5c4ba9a595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_token.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 102076, "scanner": "repobility-threat-engine", "fingerprint": "2adccbb9870c0e41d86f78f00f6a7429562c1fffeef724c00e65c44a4b59ba78", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2adccbb9870c0e41d86f78f00f6a7429562c1fffeef724c00e65c44a4b59ba78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/_base.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 102075, "scanner": "repobility-threat-engine", "fingerprint": "64e0529248a9923b0970690b337ca7b3f09f17364d5d05715800c12c8ef0670e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64e0529248a9923b0970690b337ca7b3f09f17364d5d05715800c12c8ef0670e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/_actor_service.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 102074, "scanner": "repobility-threat-engine", "fingerprint": "064bec027f2ba3341a61eb74e4a3d7cd73caeb787c8ada0aec52676ca9380943", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|064bec027f2ba3341a61eb74e4a3d7cd73caeb787c8ada0aec52676ca9380943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/pkg/sandboxbackend/openshell/channels/placeholders.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102070, "scanner": "repobility-threat-engine", "fingerprint": "36cf0ea42d07a4b437ffd618241aaf9462414b3f4f88bf47241c27a01e2167aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "request.headers.update(headers)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36cf0ea42d07a4b437ffd618241aaf9462414b3f4f88bf47241c27a01e2167aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/_token.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102069, "scanner": "repobility-threat-engine", "fingerprint": "dec93d34eb3d7e1ac08894b337fd1070dcd8395b18aadcc28638a3d820c7f814", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "data.update(request.additional_parameters)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dec93d34eb3d7e1ac08894b337fd1070dcd8395b18aadcc28638a3d820c7f814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102068, "scanner": "repobility-threat-engine", "fingerprint": "3ed0a3e4396ca95ceb4ae1b59bad9cb7b1ec70f80df0478bf203c5e3211f961b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "a.clientRegistry.delete(ref)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ed0a3e4396ca95ceb4ae1b59bad9cb7b1ec70f80df0478bf203c5e3211f961b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/a2a/a2a_registrar.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 102064, "scanner": "repobility-threat-engine", "fingerprint": "529fb22396988e11e668e46596ce204f3abecd8786cc894a23361fc3cf44c044", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|529fb22396988e11e668e46596ce204f3abecd8786cc894a23361fc3cf44c044"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/cli/agent/install.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 102063, "scanner": "repobility-threat-engine", "fingerprint": "f15dae6529796bd3acb7eb35ea2371ede0b7c8048e060d6d5fcb6edc9846ca92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f15dae6529796bd3acb7eb35ea2371ede0b7c8048e060d6d5fcb6edc9846ca92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/cli/agent/dashboard_darwin.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 102062, "scanner": "repobility-threat-engine", "fingerprint": "781ee746ea5ba933f1c5ef64df93e4b77edadfae0633569e7a588709ced85cb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|781ee746ea5ba933f1c5ef64df93e4b77edadfae0633569e7a588709ced85cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/skills/shell.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 102060, "scanner": "repobility-threat-engine", "fingerprint": "acef729e70e6969b95c92aa6fb5bde380dd19035a659cbd2b4d4975bdf4869b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|acef729e70e6969b95c92aa6fb5bde380dd19035a659cbd2b4d4975bdf4869b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/common/fs/project.go"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 102059, "scanner": "repobility-threat-engine", "fingerprint": "be246198aaf6d84ff49c5a75f234f267e0933667e487edce0604537374438ce3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be246198aaf6d84ff49c5a75f234f267e0933667e487edce0604537374438ce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/api/client/modelconfig.go"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 102058, "scanner": "repobility-threat-engine", "fingerprint": "df6063229e08887d24daa7c3aff8210b37860baedd8deb7c6457e7d29893cf60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df6063229e08887d24daa7c3aff8210b37860baedd8deb7c6457e7d29893cf60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/session/session.go"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 102057, "scanner": "repobility-threat-engine", "fingerprint": "7ef0ba04047edce5ec8d7a37231ba5682efb92b100aa0412b7539cd146c90abf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ef0ba04047edce5ec8d7a37231ba5682efb92b100aa0412b7539cd146c90abf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_token_source.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 102056, "scanner": "repobility-threat-engine", "fingerprint": "55d9f82794c6183d44cf5ec3cc508e79810188650f0c3676b8b4e2094166a122", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55d9f82794c6183d44cf5ec3cc508e79810188650f0c3676b8b4e2094166a122"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/src/kagent/adk/models/_ssl.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 102055, "scanner": "repobility-threat-engine", "fingerprint": "2ca47473c0c2d1c852f1a754f28573ea5f4ef896666e1091be144f7159d71c94", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ca47473c0c2d1c852f1a754f28573ea5f4ef896666e1091be144f7159d71c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/tls.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 102054, "scanner": "repobility-threat-engine", "fingerprint": "e1209a8a36de9307e810bb837dca4147ea3b036b8231b78384ed495a4d6be157", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1209a8a36de9307e810bb837dca4147ea3b036b8231b78384ed495a4d6be157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/tls.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102052, "scanner": "repobility-threat-engine", "fingerprint": "c55dfa2cc05254995d7dcda68ad05821c5ac4575de65b72da0015c7c540e0817", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c55dfa2cc05254995d7dcda68ad05821c5ac4575de65b72da0015c7c540e0817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/sapaicore.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102051, "scanner": "repobility-threat-engine", "fingerprint": "3451535b0a75f947832b9cd1217e0e0c772a306d7565cfbc801a296869112a2f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3451535b0a75f947832b9cd1217e0e0c772a306d7565cfbc801a296869112a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/openai.go"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102050, "scanner": "repobility-threat-engine", "fingerprint": "0c3b595304948a54d94efe149f9be8d07284d89ef9b69a5c5ebbb89aa3b1921d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c3b595304948a54d94efe149f9be8d07284d89ef9b69a5c5ebbb89aa3b1921d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/models/anthropic.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 102039, "scanner": "repobility-threat-engine", "fingerprint": "4265294be75315ce158d993467700dbc3fae9fe8b448837770ed4aeb7c74cbec", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.debug(f\"Loading actor token from {self.token_path}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|logger.debug f loading actor token from self.token_path"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/_actor_service.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 102038, "scanner": "repobility-threat-engine", "fingerprint": "114fdb9b11e8fba7c4895a024bdbe46510406d04d3b604cf19e19708de1565ce", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Error(err, \"Failed to fetch actor token dynamically, skipping STS token exchange\", \"sessionID", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|go/adk/pkg/sts/plugin.go|17|logger.error err failed to fetch actor token dynamically skipping sts token exchange sessionid"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/pkg/sts/plugin.go"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 102037, "scanner": "repobility-threat-engine", "fingerprint": "1f2aeeae286eeba9a1e0d392cf55aa95fb041fb2d4af034100befcc2148955d8", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Error(err, \"Failed to start token service\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|go/adk/cmd/main.go|13|logger.error err failed to start token service"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/adk/cmd/main.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:24-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 102012, "scanner": "repobility-supply-chain", "fingerprint": "b1a4bfa424e3bf9a7aaef46b37a4b3fb5b423c4955d338a79a217922929957fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1a4bfa424e3bf9a7aaef46b37a4b3fb5b423c4955d338a79a217922929957fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/agent/frameworks/adk/python/templates/mcp_server/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:17-jre` not pinned by digest"}, "properties": {"repobilityId": 102011, "scanner": "repobility-supply-chain", "fingerprint": "ee7ac0a8dc16b74af0393fdb1a6dbfa2bacd40d6b11d9a7d1d3a3373fe6fe4a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee7ac0a8dc16b74af0393fdb1a6dbfa2bacd40d6b11d9a7d1d3a3373fe6fe4a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/java/templates/Dockerfile.tmpl"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `maven:3.8.7` not pinned by digest"}, "properties": {"repobilityId": 102010, "scanner": "repobility-supply-chain", "fingerprint": "b87fed0b13f3407910b5704682c9a41c50366d6afd009d861016f12dc23385eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b87fed0b13f3407910b5704682c9a41c50366d6afd009d861016f12dc23385eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/java/templates/Dockerfile.tmpl"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 102009, "scanner": "repobility-supply-chain", "fingerprint": "8cfea859956ee4a095fde736c6ba2037a2d35e70e60535a2e3b54c16edab387e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cfea859956ee4a095fde736c6ba2037a2d35e70e60535a2e3b54c16edab387e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/python/templates/Dockerfile.tmpl"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 102008, "scanner": "repobility-supply-chain", "fingerprint": "e721fe5d12738123a04bf35658ac92e65030fb22acd4aecfb17d4533441e59b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e721fe5d12738123a04bf35658ac92e65030fb22acd4aecfb17d4533441e59b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/python/templates/Dockerfile.tmpl"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 102007, "scanner": "repobility-supply-chain", "fingerprint": "f5ee67ccb07956610d092695678ccda50198aabbda07fd9019f96b4bf5a9f26e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5ee67ccb07956610d092695678ccda50198aabbda07fd9019f96b4bf5a9f26e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/typescript/templates/Dockerfile.tmpl"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `golang:1.23.0-alpine` not pinned by digest"}, "properties": {"repobilityId": 102006, "scanner": "repobility-supply-chain", "fingerprint": "47ff8cd9790d3e3a9187906290543807d6618b665aefeec7e5df41cfc3a429e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47ff8cd9790d3e3a9187906290543807d6618b665aefeec7e5df41cfc3a429e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/cli/internal/mcp/frameworks/golang/templates/Dockerfile.tmpl"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `registry:2` unpinned"}, "properties": {"repobilityId": 102005, "scanner": "repobility-supply-chain", "fingerprint": "2de394d49ae3ad93c28c27ab2bafc8dad5d02ff897d5691d8cf2fe55c8c95e04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2de394d49ae3ad93c28c27ab2bafc8dad5d02ff897d5691d8cf2fe55c8c95e04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-scan.yaml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `registry:2` unpinned"}, "properties": {"repobilityId": 102004, "scanner": "repobility-supply-chain", "fingerprint": "c180576f94e3c4b2ea3f40a0d86aef55100f9cd19bf2f12816730160728c373b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c180576f94e3c4b2ea3f40a0d86aef55100f9cd19bf2f12816730160728c373b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 102003, "scanner": "repobility-supply-chain", "fingerprint": "d56d197aca705c73cd4e25f3a84c408d8e101adc4259021c79614d35d4cf8e7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d56d197aca705c73cd4e25f3a84c408d8e101adc4259021c79614d35d4cf8e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 102002, "scanner": "repobility-supply-chain", "fingerprint": "fafe32503c97810eb57f79465265c438728aeedb9a409bc7dbd45a0bc15c05a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fafe32503c97810eb57f79465265c438728aeedb9a409bc7dbd45a0bc15c05a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 102001, "scanner": "repobility-supply-chain", "fingerprint": "05c989ed0626d3a19da0bb83e1ecd1af8669e6f45e470f1bcd19294f460bc1b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05c989ed0626d3a19da0bb83e1ecd1af8669e6f45e470f1bcd19294f460bc1b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 102000, "scanner": "repobility-supply-chain", "fingerprint": "437e2da3263a22a7ddff653da0fdeae2594313dacd754f05429d1e25e01caeb2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|437e2da3263a22a7ddff653da0fdeae2594313dacd754f05429d1e25e01caeb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101999, "scanner": "repobility-supply-chain", "fingerprint": "7c56011d06efbdcbee01041192badef3d66ee526749bdd8e14741b9683c2e9b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c56011d06efbdcbee01041192badef3d66ee526749bdd8e14741b9683c2e9b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101998, "scanner": "repobility-supply-chain", "fingerprint": "e00a5514c94ee3adaff2faf63d3a5c5519899e07580ecef1b17a8d0ff68054d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e00a5514c94ee3adaff2faf63d3a5c5519899e07580ecef1b17a8d0ff68054d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101997, "scanner": "repobility-supply-chain", "fingerprint": "1110653c6da51fa42448154dc749f41843bcfe280e04968704025b04a154a150", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1110653c6da51fa42448154dc749f41843bcfe280e04968704025b04a154a150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101996, "scanner": "repobility-supply-chain", "fingerprint": "a17a42b8f3b6e86627f833302a88e66135734f150990d9801d459bbb428ddb4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a17a42b8f3b6e86627f833302a88e66135734f150990d9801d459bbb428ddb4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101995, "scanner": "repobility-supply-chain", "fingerprint": "7b899fc4243147fd78a9bff45f11a0dd9078e144c302d90c4c1f0673e2b0d6c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b899fc4243147fd78a9bff45f11a0dd9078e144c302d90c4c1f0673e2b0d6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/setup-helm` pinned to mutable ref `@v5.0.0`"}, "properties": {"repobilityId": 101994, "scanner": "repobility-supply-chain", "fingerprint": "a8e52229aad9912b0d2eb6a17dd0f5db5abe0baeafd4dcdd359c083f4198ca8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8e52229aad9912b0d2eb6a17dd0f5db5abe0baeafd4dcdd359c083f4198ca8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101993, "scanner": "repobility-supply-chain", "fingerprint": "009cfeb942a0b0407d778aa8ca4215edceb0727ce7d8346101ac4f6a2835bedb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|009cfeb942a0b0407d778aa8ca4215edceb0727ce7d8346101ac4f6a2835bedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101992, "scanner": "repobility-supply-chain", "fingerprint": "54a44371a5d47b870209ee5f36c97c8efa17b7237423d0c5088a98c65cdb3fbb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54a44371a5d47b870209ee5f36c97c8efa17b7237423d0c5088a98c65cdb3fbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101991, "scanner": "repobility-supply-chain", "fingerprint": "aa6c9729609655e6adb6d53715e2bf40112f0932b5c94c87a4a26959b8b949af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa6c9729609655e6adb6d53715e2bf40112f0932b5c94c87a4a26959b8b949af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/setup-helm` pinned to mutable ref `@v5.0.0`"}, "properties": {"repobilityId": 101990, "scanner": "repobility-supply-chain", "fingerprint": "3bb67ed6a51e4c28eb825ba9152b6496d0e5944f0f0d3ce12c70fec670bb735b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bb67ed6a51e4c28eb825ba9152b6496d0e5944f0f0d3ce12c70fec670bb735b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101989, "scanner": "repobility-supply-chain", "fingerprint": "adf36bae9739ab01dec7bdcb78a93e220c6a31faa34cfca8d51d8eb960153061", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adf36bae9739ab01dec7bdcb78a93e220c6a31faa34cfca8d51d8eb960153061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yaml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101988, "scanner": "repobility-supply-chain", "fingerprint": "ce14019057f383676971d63ea8120ae24a71e06552e7a0579a6d73434461b9a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce14019057f383676971d63ea8120ae24a71e06552e7a0579a6d73434461b9a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ui-chromatic.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101987, "scanner": "repobility-supply-chain", "fingerprint": "e46ad150d427d2fa080da4bb756cd8d10d5ae11539ee5aa16e97a2090a946be2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e46ad150d427d2fa080da4bb756cd8d10d5ae11539ee5aa16e97a2090a946be2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ui-chromatic.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 101986, "scanner": "repobility-supply-chain", "fingerprint": "5f5884c2bb957a984c6018a6734182b5db18a7b4ba765fc46018737cfbac1626", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5884c2bb957a984c6018a6734182b5db18a7b4ba765fc46018737cfbac1626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101985, "scanner": "repobility-supply-chain", "fingerprint": "44da16bbe755f7511af5eb7f379b606d0903d32184b83455247f32f7d37c6157", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44da16bbe755f7511af5eb7f379b606d0903d32184b83455247f32f7d37c6157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 101984, "scanner": "repobility-supply-chain", "fingerprint": "51228a81a51afd0fe02051c5580500c7d5df1123a2e5ddd2e6b8b38d2abab443", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51228a81a51afd0fe02051c5580500c7d5df1123a2e5ddd2e6b8b38d2abab443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 101983, "scanner": "repobility-supply-chain", "fingerprint": "4de84ed806317a0c71ce718a16688cedeec9212619cd345b569468efa4779b35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4de84ed806317a0c71ce718a16688cedeec9212619cd345b569468efa4779b35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 101982, "scanner": "repobility-supply-chain", "fingerprint": "8bf3b90e71d9486508d66ea7c6bea37547f73fe2515626f2c726b5f8a881de81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bf3b90e71d9486508d66ea7c6bea37547f73fe2515626f2c726b5f8a881de81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 101981, "scanner": "repobility-supply-chain", "fingerprint": "2de5084b70cfdf4128d30c6263027587e8b61d86a091921b4af298119a00fbe8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2de5084b70cfdf4128d30c6263027587e8b61d86a091921b4af298119a00fbe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tag.yaml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 101980, "scanner": "repobility-supply-chain", "fingerprint": "34fd6e31f92817c395048a3fe46c6628096c4e93c6f524d8acae7f95d47a00c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34fd6e31f92817c395048a3fe46c6628096c4e93c6f524d8acae7f95d47a00c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-agent-framework-test.yaml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 101979, "scanner": "repobility-supply-chain", "fingerprint": "0fc35c3aa07a62063e2a580c3097ece003737e83062fadeff0d831d5892264c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fc35c3aa07a62063e2a580c3097ece003737e83062fadeff0d831d5892264c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-agent-framework-test.yaml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101978, "scanner": "repobility-supply-chain", "fingerprint": "d1b22742de3750545d4186d7f970055db77f87e06f37a1dd6c57bac94edc69de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1b22742de3750545d4186d7f970055db77f87e06f37a1dd6c57bac94edc69de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/kebab/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101977, "scanner": "repobility-supply-chain", "fingerprint": "c9084288b38bf39387a25c18c0fb0e915a23cd815b43c11a80c32d39f74fe35a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9084288b38bf39387a25c18c0fb0e915a23cd815b43c11a80c32d39f74fe35a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/currency/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101976, "scanner": "repobility-supply-chain", "fingerprint": "1c4b798b71ebb412352e0aff5b42e27c983ee089efc7234030b3e8a296874405", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c4b798b71ebb412352e0aff5b42e27c983ee089efc7234030b3e8a296874405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/langgraph/hitl-tools/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101975, "scanner": "repobility-supply-chain", "fingerprint": "61b88d8d6cc0e91fa4ac52b56d6431e668d0ddf75d6bd67dc4402357ae0faf09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61b88d8d6cc0e91fa4ac52b56d6431e668d0ddf75d6bd67dc4402357ae0faf09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/poem_flow/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101974, "scanner": "repobility-supply-chain", "fingerprint": "11822d544eeb6397874c1dce2efe84f94dfeb724beab03ce2be05edfb1572b81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11822d544eeb6397874c1dce2efe84f94dfeb724beab03ce2be05edfb1572b81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/crewai/research-crew/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.13-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 101973, "scanner": "repobility-supply-chain", "fingerprint": "6d7260ea27de6507fe526b94c62e5fea4319d75929e0be34c3df246fdbf905a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d7260ea27de6507fe526b94c62e5fea4319d75929e0be34c3df246fdbf905a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/openai/basic_agent/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.23` not pinned by digest"}, "properties": {"repobilityId": 101972, "scanner": "repobility-supply-chain", "fingerprint": "ffa1b5ed64570312ebf0cadc7ccbe7960b46585dc9d633f238814620c4db4c81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffa1b5ed64570312ebf0cadc7ccbe7960b46585dc9d633f238814620c4db4c81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/skills-init/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv (no tag)` not pinned by digest"}, "properties": {"repobilityId": 101971, "scanner": "repobility-supply-chain", "fingerprint": "aa5394f065ab674b1016734fd86a4691110370b304972dea677f1c2cfb12c2a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa5394f065ab674b1016734fd86a4691110370b304972dea677f1c2cfb12c2a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest"}, "properties": {"repobilityId": 101970, "scanner": "repobility-supply-chain", "fingerprint": "076f689d5a526f0b9a4f5e8d6920e20913513b50d6a7778f390326cd6d19b4c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|076f689d5a526f0b9a4f5e8d6920e20913513b50d6a7778f390326cd6d19b4c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_when_auth_url_missing"}, "properties": {"repobilityId": 101962, "scanner": "repobility-ast-engine", "fingerprint": "5f283799bdb2bb62a9c8187a6d52fd1430bd7a0302fcc793fde877bf5d420172", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f283799bdb2bb62a9c8187a6d52fd1430bd7a0302fcc793fde877bf5d420172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_sap_ai_core.py"}, "region": {"startLine": 305}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_when_env_vars_missing"}, "properties": {"repobilityId": 101961, "scanner": "repobility-ast-engine", "fingerprint": "f4723a6741a9338fe43a2586726e716c899a3f7c9913e433a9b2217852952134", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4723a6741a9338fe43a2586726e716c899a3f7c9913e433a9b2217852952134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_sap_ai_core.py"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_openai_client_with_base_url_and_tls"}, "properties": {"repobilityId": 101960, "scanner": "repobility-ast-engine", "fingerprint": "cb6d6357bcd968085d7890ce38078adba1729e26de64902e989fdee9bc5104ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb6d6357bcd968085d7890ce38078adba1729e26de64902e989fdee9bc5104ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_openai.py"}, "region": {"startLine": 718}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_ssl_context_certificate_file_not_found"}, "properties": {"repobilityId": 101959, "scanner": "repobility-ast-engine", "fingerprint": "ed11668d4958f8b172e5d2eaf8547fd6cb68dd6866bc7a37dc7ecead157d81a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed11668d4958f8b172e5d2eaf8547fd6cb68dd6866bc7a37dc7ecead157d81a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_ssl.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_e2e_with_self_signed_cert_fails_without_custom_ca_or_system_cas"}, "properties": {"repobilityId": 101958, "scanner": "repobility-ast-engine", "fingerprint": "0ddd22d28d4a5e1b771c6360d5663ed0b077b59a11e8309a5d867d16b9802af9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ddd22d28d4a5e1b771c6360d5663ed0b077b59a11e8309a5d867d16b9802af9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_tls_e2e.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_e2e_with_self_signed_cert_fails_without_custom_ca"}, "properties": {"repobilityId": 101957, "scanner": "repobility-ast-engine", "fingerprint": "16a67396eae2e894c29a735b9dc103f593fd87e3a727623e4f8218adc4cdaae4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16a67396eae2e894c29a735b9dc103f593fd87e3a727623e4f8218adc4cdaae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/models/test_tls_e2e.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 101956, "scanner": "repobility-ast-engine", "fingerprint": "3200c20a6b14d29369b4fad87c54ef3473850c08a113e6bb4a7711c92c6bf2ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3200c20a6b14d29369b4fad87c54ef3473850c08a113e6bb4a7711c92c6bf2ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_proxy_integration.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_cancelled_error_still_raises"}, "properties": {"repobilityId": 101955, "scanner": "repobility-ast-engine", "fingerprint": "fb7dd267f6504f44f4e2917fd7d1a4e73297c0bd43a8994067c7d64032167298", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb7dd267f6504f44f4e2917fd7d1a4e73297c0bd43a8994067c7d64032167298"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_connection_error_handling.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_non_connection_error_still_raises"}, "properties": {"repobilityId": 101954, "scanner": "repobility-ast-engine", "fingerprint": "380e482dfd1058d655aa7917cd9cbdbba031407461e6c420386ab8f4e927bfaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|380e482dfd1058d655aa7917cd9cbdbba031407461e6c420386ab8f4e927bfaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_connection_error_handling.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_protocol_mcp_error_still_raises"}, "properties": {"repobilityId": 101953, "scanner": "repobility-ast-engine", "fingerprint": "819e99556e2668631eeccd0d568ed3827dc3ae56a444134d32db1812761cb5d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|819e99556e2668631eeccd0d568ed3827dc3ae56a444134d32db1812761cb5d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_connection_error_handling.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_disable_system_cas_propagates_to_create_ssl_context"}, "properties": {"repobilityId": 101952, "scanner": "repobility-ast-engine", "fingerprint": "9d5b3216f9502579ecb38c585d87a2cf26a23c2ea8ff1c391b8bece790826587", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d5b3216f9502579ecb38c585d87a2cf26a23c2ea8ff1c391b8bece790826587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_tls.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_state` used but never assigned in __init__"}, "properties": {"repobilityId": 101951, "scanner": "repobility-ast-engine", "fingerprint": "46e813838574ea95778bbf2731ed4af4369678d357d5c8aa4e004714d8a1b36f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46e813838574ea95778bbf2731ed4af4369678d357d5c8aa4e004714d8a1b36f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 597}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_state` used but never assigned in __init__"}, "properties": {"repobilityId": 101950, "scanner": "repobility-ast-engine", "fingerprint": "d5d1d2a6da4ab7b04231a8e1137fba2015ba0ac772066281a1fc7b957cfbc4aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5d1d2a6da4ab7b04231a8e1137fba2015ba0ac772066281a1fc7b957cfbc4aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 584}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_state` used but never assigned in __init__"}, "properties": {"repobilityId": 101949, "scanner": "repobility-ast-engine", "fingerprint": "abde1cca18899f61accb7867077f0837085587b940be003cd2a9b69eb4df8372", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abde1cca18899f61accb7867077f0837085587b940be003cd2a9b69eb4df8372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_state` used but never assigned in __init__"}, "properties": {"repobilityId": 101948, "scanner": "repobility-ast-engine", "fingerprint": "f61409d718c580ccca49633fbdf043e0cce2f97879c24a7bd879d2dc42b8b165", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f61409d718c580ccca49633fbdf043e0cce2f97879c24a7bd879d2dc42b8b165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 553}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_state` used but never assigned in __init__"}, "properties": {"repobilityId": 101947, "scanner": "repobility-ast-engine", "fingerprint": "7edb0471021e7beaf7c0047603f597d4c14e225a119f5d4351495c361da973b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7edb0471021e7beaf7c0047603f597d4c14e225a119f5d4351495c361da973b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 532}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101946, "scanner": "repobility-ast-engine", "fingerprint": "2c499ed8faa787d9e8d4eaae98e609802dd0d25361e3413468a1f090af1f0cd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c499ed8faa787d9e8d4eaae98e609802dd0d25361e3413468a1f090af1f0cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 442}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101945, "scanner": "repobility-ast-engine", "fingerprint": "d32c6c9540ab447d7ce5a6a69001d08ed40386235fa7893324369b990e16438c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d32c6c9540ab447d7ce5a6a69001d08ed40386235fa7893324369b990e16438c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 427}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101944, "scanner": "repobility-ast-engine", "fingerprint": "f934903468e952cd735833853448871e5d4fdd8df0a6f0509b68bdc1623e0b67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f934903468e952cd735833853448871e5d4fdd8df0a6f0509b68bdc1623e0b67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101943, "scanner": "repobility-ast-engine", "fingerprint": "2e8ab556d39150ad36b9ee9e5419b392a66183323ea4ef9ac727826e7997c1a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e8ab556d39150ad36b9ee9e5419b392a66183323ea4ef9ac727826e7997c1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101942, "scanner": "repobility-ast-engine", "fingerprint": "b9310f6cb61024a725cc18590adde41771470db2e5427b6559976445cb36f77e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9310f6cb61024a725cc18590adde41771470db2e5427b6559976445cb36f77e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101941, "scanner": "repobility-ast-engine", "fingerprint": "1669ae229014d5bc2087621b141ce97196bc51012d28d8f54cd7131c6c1fb2f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1669ae229014d5bc2087621b141ce97196bc51012d28d8f54cd7131c6c1fb2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resume` used but never assigned in __init__"}, "properties": {"repobilityId": 101940, "scanner": "repobility-ast-engine", "fingerprint": "11da9cbedb693314bcb9dc65d3c2a3203f3e9686958665637190ad0d60d160c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11da9cbedb693314bcb9dc65d3c2a3203f3e9686958665637190ad0d60d160c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._call_intercept` used but never assigned in __init__"}, "properties": {"repobilityId": 101939, "scanner": "repobility-ast-engine", "fingerprint": "501c92d688d117c8896d8ebf278b99b59a32b3faff9db7072a2e89eb617a6199", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|501c92d688d117c8896d8ebf278b99b59a32b3faff9db7072a2e89eb617a6199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._call_intercept` used but never assigned in __init__"}, "properties": {"repobilityId": 101938, "scanner": "repobility-ast-engine", "fingerprint": "f17632b47ef10e8afa12083874a8b38347b61e05c03aee5f04a93131ec589169", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f17632b47ef10e8afa12083874a8b38347b61e05c03aee5f04a93131ec589169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_close_is_idempotent"}, "properties": {"repobilityId": 101937, "scanner": "repobility-ast-engine", "fingerprint": "22a861f6b7b257689d1083416d8733944e58c02697f2f9728ef5014bfc33dba5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22a861f6b7b257689d1083416d8733944e58c02697f2f9728ef5014bfc33dba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py"}, "region": {"startLine": 479}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_inject_session_state_raises_on_unresolved_variable"}, "properties": {"repobilityId": 101936, "scanner": "repobility-ast-engine", "fingerprint": "ec7d9cabfc63397e86ef197b2f185e226dab75c76de11ab23b324111b67011fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec7d9cabfc63397e86ef197b2f185e226dab75c76de11ab23b324111b67011fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_instruction_escaping.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mcp_toolset_close_propagates_cancelled_error"}, "properties": {"repobilityId": 101935, "scanner": "repobility-ast-engine", "fingerprint": "26b5aca9a787e8ca27b533ff288505089aa6f8faef11b92ffe5f392b66fad877", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26b5aca9a787e8ca27b533ff288505089aa6f8faef11b92ffe5f392b66fad877"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mcp_toolset_close_reraises_non_cross_task_cancel_scope_error"}, "properties": {"repobilityId": 101934, "scanner": "repobility-ast-engine", "fingerprint": "fbf48fba123a5b6a4500d64c6cd60a0b898c989beb643c1c4d6f5ff72f59b1bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbf48fba123a5b6a4500d64c6cd60a0b898c989beb643c1c4d6f5ff72f59b1bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mcp_toolset_close_reraises_unexpected_error"}, "properties": {"repobilityId": 101933, "scanner": "repobility-ast-engine", "fingerprint": "3827f5c31800c57e0827220432a6a379f2d68cf36d03d46830bc36a2577500c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3827f5c31800c57e0827220432a6a379f2d68cf36d03d46830bc36a2577500c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mcp_toolset_close_suppresses_known_anyio_cancel_scope_error"}, "properties": {"repobilityId": 101932, "scanner": "repobility-ast-engine", "fingerprint": "4a93d6065f40d71f5edaa4c7f4358747490917bb665e8991cad8e3dbc87aec40", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a93d6065f40d71f5edaa4c7f4358747490917bb665e8991cad8e3dbc87aec40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_safe_close_runner_propagates_caller_cancellation"}, "properties": {"repobilityId": 101931, "scanner": "repobility-ast-engine", "fingerprint": "e53b74bc415080250fa11bdf6414014fc078fea7abdc8ffbcaa0ce2f8f188dfd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e53b74bc415080250fa11bdf6414014fc078fea7abdc8ffbcaa0ce2f8f188dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_safe_close_runner_suppresses_known_anyio_cancel_scope_error"}, "properties": {"repobilityId": 101930, "scanner": "repobility-ast-engine", "fingerprint": "7a1be993b948cc25a513f339f846418c2858d6aa42b5bc38672eaae9d0fd4cb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a1be993b948cc25a513f339f846418c2858d6aa42b5bc38672eaae9d0fd4cb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_safe_close_runner_reraises_unexpected_runner_close_error"}, "properties": {"repobilityId": 101929, "scanner": "repobility-ast-engine", "fingerprint": "2e5e975fa7f3bbb8affb8fbca838e7b28ce958f7cac983d108014e6d960e1288", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e5e975fa7f3bbb8affb8fbca838e7b28ce958f7cac983d108014e6d960e1288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_mcp_cleanup_resilience.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_bedrock_region_selection"}, "properties": {"repobilityId": 101928, "scanner": "repobility-ast-engine", "fingerprint": "119ad148414e781e2a74b86d6cae566467b8677941246c94dbf2a991dc850ea8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|119ad148414e781e2a74b86d6cae566467b8677941246c94dbf2a991dc850ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_embedding.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_ollama_uses_api_base_url"}, "properties": {"repobilityId": 101927, "scanner": "repobility-ast-engine", "fingerprint": "44ef186e044b412861b09e19dbcd9731186e961d9b739379f3606a048a830fcd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44ef186e044b412861b09e19dbcd9731186e961d9b739379f3606a048a830fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_embedding.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_compaction_missing_required_fields"}, "properties": {"repobilityId": 101926, "scanner": "repobility-ast-engine", "fingerprint": "bc7bf339faec631af94f38cb1481a56e1f78d022be1379673f5222f3a84c5962", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc7bf339faec631af94f38cb1481a56e1f78d022be1379673f5222f3a84c5962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-adk/tests/unittests/test_context_config.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._clean_partial_events` used but never assigned in __init__"}, "properties": {"repobilityId": 101925, "scanner": "repobility-ast-engine", "fingerprint": "53c671db3a507d7f4a36601889d4b6a97969cae5495191ae8baaa10a3a678a70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53c671db3a507d7f4a36601889d4b6a97969cae5495191ae8baaa10a3a678a70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/src/kagent/core/a2a/_task_store.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_partial_event` used but never assigned in __init__"}, "properties": {"repobilityId": 101924, "scanner": "repobility-ast-engine", "fingerprint": "c3b95ebb6901d342f763f2c0477b9e7040e6e39cacb55189edaf8fb4963964b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3b95ebb6901d342f763f2c0477b9e7040e6e39cacb55189edaf8fb4963964b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/src/kagent/core/a2a/_task_store.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.namespace` used but never assigned in __init__"}, "properties": {"repobilityId": 101923, "scanner": "repobility-ast-engine", "fingerprint": "6d62abade9aa975fa43087d2077c39247a38ceead5a1c1fe37e4134cfb626c7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d62abade9aa975fa43087d2077c39247a38ceead5a1c1fe37e4134cfb626c7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/src/kagent/core/_config.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.name` used but never assigned in __init__"}, "properties": {"repobilityId": 101922, "scanner": "repobility-ast-engine", "fingerprint": "51c6f42f350a505fb8974d8618373ed56d0332bfc404517fd85677accb4f7ef2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51c6f42f350a505fb8974d8618373ed56d0332bfc404517fd85677accb4f7ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/src/kagent/core/_config.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_for_none_key"}, "properties": {"repobilityId": 101921, "scanner": "repobility-ast-engine", "fingerprint": "65ebfc458f5dc00aceb794f87e9f6aa6348fba0331124eda8b1bcec95e812ea0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|65ebfc458f5dc00aceb794f87e9f6aa6348fba0331124eda8b1bcec95e812ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/tests/test_read_metadata_value.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_for_empty_key"}, "properties": {"repobilityId": 101920, "scanner": "repobility-ast-engine", "fingerprint": "50b7ee00e3f630f1616af6c1c3acf46bc7ab65c2cd9eaa703e7dd88d7f228fc1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50b7ee00e3f630f1616af6c1c3acf46bc7ab65c2cd9eaa703e7dd88d7f228fc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/kagent-core/tests/test_read_metadata_value.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.exchange_token` used but never assigned in __init__"}, "properties": {"repobilityId": 101919, "scanner": "repobility-ast-engine", "fingerprint": "977680d57a8d70d3b37b6263533d1c177338a853db55f800b2ef82e53282c60a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|977680d57a8d70d3b37b6263533d1c177338a853db55f800b2ef82e53282c60a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.exchange_token` used but never assigned in __init__"}, "properties": {"repobilityId": 101918, "scanner": "repobility-ast-engine", "fingerprint": "ad2c3a258b0024bacdb2a8bf2be3fd2ba600b7f2fb180f9ac2167149e9708ffa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad2c3a258b0024bacdb2a8bf2be3fd2ba600b7f2fb180f9ac2167149e9708ffa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._initialize` used but never assigned in __init__"}, "properties": {"repobilityId": 101917, "scanner": "repobility-ast-engine", "fingerprint": "deb0b105c3ec9f7fe62571afea805cfb6f50e6b1f73d43daf0e5917f6aadb54f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|deb0b105c3ec9f7fe62571afea805cfb6f50e6b1f73d43daf0e5917f6aadb54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_request_data` used but never assigned in __init__"}, "properties": {"repobilityId": 101916, "scanner": "repobility-ast-engine", "fingerprint": "3a1e8198d7cec8a44a3dc74135780c3e9925c8a4bde34a59fb8d067f8e531d4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a1e8198d7cec8a44a3dc74135780c3e9925c8a4bde34a59fb8d067f8e531d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.close` used but never assigned in __init__"}, "properties": {"repobilityId": 101915, "scanner": "repobility-ast-engine", "fingerprint": "21e94aff9cdcdf4b5b7e13d36f705aab27c1499b44f920c2c8737ed14398b74b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21e94aff9cdcdf4b5b7e13d36f705aab27c1499b44f920c2c8737ed14398b74b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._initialize` used but never assigned in __init__"}, "properties": {"repobilityId": 101914, "scanner": "repobility-ast-engine", "fingerprint": "0af994ea6721d7c98db383921935611b858c86fbc347fc77b6dec7c238adcb95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0af994ea6721d7c98db383921935611b858c86fbc347fc77b6dec7c238adcb95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_client.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_exchange_token_failure"}, "properties": {"repobilityId": 101913, "scanner": "repobility-ast-engine", "fingerprint": "415fa1eba7403cb1e8ba6d85a290350bf750eecd4d0c042541a92fa0c4c1d450", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|415fa1eba7403cb1e8ba6d85a290350bf750eecd4d0c042541a92fa0c4c1d450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/tests/test_base.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "GHSA-f4j7-r4q5-qw2c", "level": "error", "message": {"text": "chromadb: GHSA-f4j7-r4q5-qw2c"}, "properties": {"repobilityId": 102267, "scanner": "osv-scanner", "fingerprint": "d5382ac04e695d73d00043b29ab0adf3225eed6d947a4001ccd0934f69484d84", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45829"], "package": "chromadb", "rule_id": "GHSA-f4j7-r4q5-qw2c", "scanner": "osv-scanner", "correlation_key": "vuln|chromadb|CVE-2026-45829|python/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rg7c-g689-fr3x", "level": "error", "message": {"text": "google-adk: GHSA-rg7c-g689-fr3x"}, "properties": {"repobilityId": 102259, "scanner": "osv-scanner", "fingerprint": "bc77642079ab7c676ef3e4d9725364d5331eb75a7515a2aeedaff7e282948679", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4810"], "package": "google-adk", "rule_id": "GHSA-rg7c-g689-fr3x", "scanner": "osv-scanner", "correlation_key": "vuln|google-adk|CVE-2026-4810|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wvwj-cvrp-7pv5", "level": "error", "message": {"text": "authlib: GHSA-wvwj-cvrp-7pv5"}, "properties": {"repobilityId": 102258, "scanner": "osv-scanner", "fingerprint": "e4ff4c5497e2ebc5206ae6208e9378ef06eaaba7ae020b96ee0ac6d6525debdd", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27962"], "package": "authlib", "rule_id": "GHSA-wvwj-cvrp-7pv5", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-27962|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/samples/adk/basic/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 102185, "scanner": "gitleaks", "fingerprint": "c24723408746cab57c59cac220780e8348581104efd1c6baa5e8d61ac47b1bf5", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|110|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/test/e2e/invoke_api_test.go"}, "region": {"startLine": 1104}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 102184, "scanner": "gitleaks", "fingerprint": "62d139c31f9d1da3f306b27c1edd7691e8c5b59618f0117424308502f0a1a3d8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|9|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/tests/test_client.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 102183, "scanner": "gitleaks", "fingerprint": "6a8679ef7673666791cfe701b4954f97b33cb8e5743c89d99cf60c4ac1a496a1", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|8|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/tests/test_client.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 102182, "scanner": "gitleaks", "fingerprint": "0af36cbdb23a2e9eacecad26293cc0e1187d7f779b678df2e2b53421d8ddfd21", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|6|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/tests/test_client.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 102181, "scanner": "gitleaks", "fingerprint": "756853e8533c36f52821353e65f2538cac923c4c9b30e0b2db2d5609c3fa1f36", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|5|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/tests/test_client.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102180, "scanner": "gitleaks", "fingerprint": "faab3f4249ad3ecfcacd347b427ce4b122c815dfcfc9bd7f9807f6e5390be393", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: custom-ca-cert\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: custom-ca-cert namespace: test data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/tls-with-custom-ca.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102179, "scanner": "gitleaks", "fingerprint": "5f8eb0ef5e92afb70b68e66e7fa9252712795f44badfae4bbe6bdcd8a0e9401e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: corporate-ca-cert\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: corporate-ca-cert namespace: test data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/tls-with-system-cas-disabled.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102178, "scanner": "gitleaks", "fingerprint": "07e9643f70296c50561355a2f58608565273c3bf38cc3dc06b291470e932b7f6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: system-message-secret\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: system-message-secret namespace: test data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_system_message_from_secret.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102177, "scanner": "gitleaks", "fingerprint": "873da3dc0e720683e95ee515862ae3b118fd103b7b5fadc7ce4baf76a83884fa", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: tool-auth-secret\n      namespace: tools-ns\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: tool-auth-secret namespace: tools-ns data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_cross_namespace_tools.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102176, "scanner": "gitleaks", "fingerprint": "b583c417bf4ed28628ba3fb73c0d933f492d82f7e330298726eef610c2352205", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: openai-secret\n      namespace: source-ns\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: openai-secret namespace: source-ns data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_cross_namespace_tools.yaml"}, "region": {"startLine": 7}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 102175, "scanner": "gitleaks", "fingerprint": "fade2f0538782df5751c3f76970a65deddfb0025cb3d0a31b83b0bc3dc88b42b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "auth-token: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|auth-token: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_cross_namespace_tools.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102174, "scanner": "gitleaks", "fingerprint": "16d82316df43042f4a5b7ea93433efd6d5d02b756332c8ebb5270eccdcc3ab99", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: agent-secret\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: agent-secret namespace: test data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_nested_agent.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102173, "scanner": "gitleaks", "fingerprint": "19ccd37c2df4522f98b43c2816affd4ec40b0b10d4d5044c29d98cdd6b9c515a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: bedrock-credentials\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: bedrock-credentials namespace: test data: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/bedrock_agent.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 102172, "scanner": "gitleaks", "fingerprint": "44083cba2218b9ce60a797fe5c7ed2522b013c880577c2d727be7d81690ea4f7", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "AWS_SECRET_ACCESS_KEY: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|aws_secret_access_key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/bedrock_agent.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102171, "scanner": "gitleaks", "fingerprint": "8a96d6d66b05c46dafdbda6a97872dd830c911fbfe5652ec5708f6bae888da5e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "kind: Secret\n    metadata:\n      name: anthropic-secret\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: anthropic-secret namespace: test data: redacted", "duplicate_count": 1, "duplicate_rule_ids": ["kubernetes-secret-yaml"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["606868d64fe98a5f06e1fba24c219a54a5da26129bd891df98d63810b8fefd6c", "8a96d6d66b05c46dafdbda6a97872dd830c911fbfe5652ec5708f6bae888da5e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_context_config.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102170, "scanner": "gitleaks", "fingerprint": "c268a175e5161efee08664e01118b877ce0c3b4706378ca8acb85e63fffa3455", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "kind: Secret\n    metadata:\n      name: gcp-creds\n      namespace: test\n    data:\n      key.json: e30= # base64 \"{}\"\n  - apiVersion: kagent.dev/v1alpha2\n    REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: gcp-creds namespace: test data: key.json: e30 # base64 - apiversion: kagent.dev/v1alpha2 re"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_embedding_provider.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102169, "scanner": "gitleaks", "fingerprint": "94491bad23e47c18fbca41d1761290bbcee8771b2bda64fb77cc60cfc5c48f80", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "kind: Secret\n    metadata:\n      name: math-secret\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: math-secret namespace: test data: redacted", "duplicate_count": 1, "duplicate_rule_ids": ["kubernetes-secret-yaml"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["94491bad23e47c18fbca41d1761290bbcee8771b2bda64fb77cc60cfc5c48f80", "bbd4f08b457f6b0d83fa7fba1ac7e2931e822c86e3c887af3bf917ba5edc64ce"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/agent_with_mcp_service.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "kubernetes-secret-yaml", "level": "error", "message": {"text": "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"}, "properties": {"repobilityId": 102168, "scanner": "gitleaks", "fingerprint": "f7dd4723b8fb26f72f43e02bd16f47cd368e4894a1f3caebcfb7ac6e928e015c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 29 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "kind: Secret\n    metadata:\n      name: openai-secret\n      namespace: test\n    data:\n      REDACTED", "rule_id": "kubernetes-secret-yaml", "scanner": "gitleaks", "detector": "kubernetes-secret-yaml", "correlation_key": "secret|token|1|kind: secret metadata: name: openai-secret namespace: test data: redacted", "duplicate_count": 29, "duplicate_rule_ids": ["kubernetes-secret-yaml"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["038ed64cc19885b29eda260bc136465dd8704762faac2dbe669515dc7e8d0d69", "0808edac8e460726cf65457fe7defbe62e0b424a689fa50258b056bd1888cd11", "0b18dbe454c6234ce94aecbe959d7d2e1eabe242f7eccea04f20e9c52526a0a0", "0ef2df1f9e1c8a41ae79c402559debdc5679be6871db590cbdedee96e253776d", "16117b80e9de59100783c7ab77a220dc791333de9291b751541609f93038fbe0", "2829ffc80b531422a21841a4e34a1465449de0c328eb83786dfb26a1010311b5", "2a8bf235af2c6a500919dc4c534d7161a88a31863e2225bae60c4f58d7ddff5d", "2b79504a9601172d082b2ef896d2dc476ff96c3674a3733b235d13b6c701a4a6", "2f107372df8b4244a5bd873c57b49ba797be23eb789cb09371b3e8da667ab8c3", "2f828fa0d7593864e2215a753e0fe196b3d2e4d293ef61e023d69e1c44fd27b7", "379095bb4b26671df5f63a405f2422a18929c164a4b37a0aed3eef24cba5cabd", "385d50f4555f611831095dac998341b0856799151d4b843d8c2cf497a3fc18ed"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/basic_agent.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 102167, "scanner": "gitleaks", "fingerprint": "47085fa8236a5f23c5ba46d3a2e58215db99465875af1a277a9e74a9ccb018ae", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 32 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "api-key: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|api-key: redacted", "duplicate_count": 32, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["13753b77554a8489e8c6e2c3fd760c0c068762650e817e84aa4da14f10413c3f", "2c30ea4e91d26cd729cb684bf92b99982f444d5c204182461d8393d64fb9f34b", "2c5b7b3a7916a424b7bb8b4abef287e7f527c56e611a349480a1f47d7be7dca2", "2d4fdd6fa99cd0cd3377809ec71aa9ac519b5e340253a126c3859b4c7bf2ef6d", "3a1fe695d454a89c8d852e55f53fe56516bf787058649f6c820be9f5acae7a50", "3db4e894ed3c540848486cb09fc9647d68decc3868613fc6ce200f8f216edd88", "4705745f5868f20db4f4d3ac397a14e5ef4c77ad26d72b71027464e2d53b55c4", "47085fa8236a5f23c5ba46d3a2e58215db99465875af1a277a9e74a9ccb018ae", "59fe94cd685e16a7102f0cc3f244764ba25cb4fbea76f51d349dd740bb9419d1", "67bb86f4c182d83a17165e88b4cb03db0a675ad4cae703415b5eb2cb9207e25f", "6e14596ac01e79334fc7c266163dbaabb3aec7f9962b8a7fea330fbff651af36", "6e88ab87ea27e7f80a01c4537aa4794b2d568d5c5ce3e88055d8da2e5bd3ad2e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/controller/translator/agent/testdata/inputs/basic_agent.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC099", "level": "error", "message": {"text": "[SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker."}, "properties": {"repobilityId": 102082, "scanner": "repobility-threat-engine", "fingerprint": "c3620df9d45936e7f7edb8590f66dafb182d2c515fdaf9908c7723337c3e2987", "category": "auth", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "jwt.decode(token, options={\"verify_signature\": False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC099", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|auth|token|69|sec099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/packages/agentsts-core/src/agentsts/core/client/_utils.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 102073, "scanner": "repobility-threat-engine", "fingerprint": "a6a8cec77f7d2c67cf8fa64d4ef46fe08a3ee42721a7f1f2e42499de6c5f343b", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xoxb-OPENSHELL-RESOLVE-ENV-", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|xoxb-openshell-resolve-env-"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/pkg/sandboxbackend/openshell/channels/placeholders.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 102072, "scanner": "repobility-threat-engine", "fingerprint": "26a19f12d0678a14078009ea76762989e45307dfd70c8a321557c61d780633ab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26a19f12d0678a14078009ea76762989e45307dfd70c8a321557c61d780633ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/core/internal/httpserver/handlers/prompttemplates.go"}, "region": {"startLine": 79}}}]}]}]}