{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(a"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 86 more): Same pattern found in 86 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 86 more): Same pattern found in 86 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `gitpod/workspace-full (no tag)` not pinned by digest: `FROM gitpod/workspace-full (no tag)` ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `gitpod/workspace-full (no tag)` not pinned by digest: `FROM gitpod/workspace-full (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potential"}, "fullDescription": {"text": "Replace with: `FROM gitpod/workspace-full (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.RELEASE_GPG_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.RELEASE_GPG_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_GPG_PRIVATE_KEY }` lets a PR from any fork e"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/745"}, "properties": {"repository": "shadcn-ui/ui", "repoUrl": "https://github.com/shadcn-ui/ui", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 61263, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 61262, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(app)/llm/::...slug."}, "properties": {"repobilityId": 61258, "scanner": "repobility-access-control", "fingerprint": "ab980b052b0a8dc4ff35a92b11a21bf684ccc4434678eb21d81165f1f46b50c6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(app)/llm/::...slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/v4/app/ app /llm/ ...slug /route.ts|25|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/llm/[[...slug]]/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /r/registries.json."}, "properties": {"repobilityId": 61257, "scanner": "repobility-access-control", "fingerprint": "6c6032318b46e56911e048f02815b84af99495847c869f0c2fc2613859dc4ff4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/r/registries.json", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/r/registries.json/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init/md."}, "properties": {"repobilityId": 61256, "scanner": "repobility-access-control", "fingerprint": "605671c46ec8facf1758ad46e26df47c39c3202c944987f5d16c029f3b00b342", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(create)/init/md", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/v4/app/ create /init/md/route.ts|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(create)/init/md/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init/v0."}, "properties": {"repobilityId": 61255, "scanner": "repobility-access-control", "fingerprint": "fe458cb4191efce33887cc2845b9c0d0a2f4c2cebbe005890a6a15fa1f5dd1e3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(create)/init/v0", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/v4/app/ create /init/v0/route.ts|9|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(create)/init/v0/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init."}, "properties": {"repobilityId": 61254, "scanner": "repobility-access-control", "fingerprint": "04b87d697fb46eb833d2221b88c116ac5dd8cdc1de13e7608ae619999cf6c24d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(create)/init", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/v4/app/ create /init/route.ts|14|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(create)/init/route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /rss.xml."}, "properties": {"repobilityId": 61253, "scanner": "repobility-access-control", "fingerprint": "48495ff5ecaef851614741eafd10c5cb0a7eef8300b93a9448ca031238b9fd48", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rss.xml", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/rss.xml/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 61252, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 6, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 61251, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 61250, "scanner": "repobility-docker", "fingerprint": "9085ca57999b63075729d3aee4ea54f3c3e09ac08573a016eac81fea98605fed", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9085ca57999b63075729d3aee4ea54f3c3e09ac08573a016eac81fea98605fed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 61249, "scanner": "repobility-docker", "fingerprint": "b885d19df32ad5e290ce5dfba5c1589989c44098ac6a6b2f1addd8854d4ff35b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 2 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 2, "correlation_key": "fp|b885d19df32ad5e290ce5dfba5c1589989c44098ac6a6b2f1addd8854d4ff35b", "dependency_install_line": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 61246, "scanner": "repobility-docker", "fingerprint": "d6e6a94004a4b9d9dbfcd8f9bc057de3364a78c0603d1cff3e697734a7f7f0f8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d6e6a94004a4b9d9dbfcd8f9bc057de3364a78c0603d1cff3e697734a7f7f0f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 61245, "scanner": "repobility-docker", "fingerprint": "2073ab06b7916e0fa6d635a635a96a6ea977c6ba7ff66ca66295d17fa9468520", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 2 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 2, "correlation_key": "fp|2073ab06b7916e0fa6d635a635a96a6ea977c6ba7ff66ca66295d17fa9468520", "dependency_install_line": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 61242, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 61241, "scanner": "repobility-docker", "fingerprint": "6f1b7cea6dc223f2d7960e6c0fbfedec52dadc12f6af1cfe1bf5810383f42a69", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6f1b7cea6dc223f2d7960e6c0fbfedec52dadc12f6af1cfe1bf5810383f42a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 61206, "scanner": "repobility-threat-engine", "fingerprint": "7259d7811356b67521369ba0382e3fc2fecb594f9d031ac08890eac345156fc0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7259d7811356b67521369ba0382e3fc2fecb594f9d031ac08890eac345156fc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/signup-03/components/signup-form.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 61205, "scanner": "repobility-threat-engine", "fingerprint": "bc21a1c250da83c67f029831cafce8df4e1f1497cffed0d1a5994e9d653ee986", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc21a1c250da83c67f029831cafce8df4e1f1497cffed0d1a5994e9d653ee986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/signup-02/components/signup-form.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 61204, "scanner": "repobility-threat-engine", "fingerprint": "a7a810ae2697dccccfaaf8c867d9a1dbfbad20a97a7cb105bee65bab07620ed4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a7a810ae2697dccccfaaf8c867d9a1dbfbad20a97a7cb105bee65bab07620ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/signup-01/components/signup-form.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 61203, "scanner": "repobility-threat-engine", "fingerprint": "2d27ce35164a48b394d525cdc7f143a519feec9171adf326f910e8367cdbec57", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveItem(item)\n                        const mail = data.mails.sort(() => Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d27ce35164a48b394d525cdc7f143a519feec9171adf326f910e8367cdbec57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/new-york-v4/blocks/sidebar-09/components/app-sidebar.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 61202, "scanner": "repobility-threat-engine", "fingerprint": "4f30e7e99895baf659c22fcd6e3ed229e05013ba5ef4ba18ca02817c657d9fab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveItem(item)\n                        const mail = data.mails.sort(() => Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f30e7e99895baf659c22fcd6e3ed229e05013ba5ef4ba18ca02817c657d9fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/radix/blocks/sidebar-09/components/app-sidebar.tsx"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 61201, "scanner": "repobility-threat-engine", "fingerprint": "aaac228e9bbb1a9e2db4721643e599380391da9a31484fa3982bea5aba521791", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveItem(item)\n                        const mail = data.mails.sort(() => Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aaac228e9bbb1a9e2db4721643e599380391da9a31484fa3982bea5aba521791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/sidebar-09/components/app-sidebar.tsx"}, "region": {"startLine": 242}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 61192, "scanner": "repobility-threat-engine", "fingerprint": "029dc49f281c7163507673ed52fd631d207ab9a21dbdb59adf27531b80cfdefa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|029dc49f281c7163507673ed52fd631d207ab9a21dbdb59adf27531b80cfdefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/layout.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 61187, "scanner": "repobility-threat-engine", "fingerprint": "21885048bcdb61dc6c881f72e53c0e383930acffec2a6b65f0f5ba8ae48655cb", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n        href={`${process.env.NEXT_PUBLIC_V0_URL}/chat/api/open?url=${process.env.NEXT_PUBLIC_APP_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|22|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/open-in-v0-button.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 61186, "scanner": "repobility-threat-engine", "fingerprint": "ddce2d4f10929b011de695a111e0b96fd971bdd3bf9168fc9f5f1a90c9043041", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n      href={getPromptUrl(\"https://scira.ai/\", url)}\n      target=\"_blank\"\n      className=\"m-0 p-", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|91|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/docs-copy-page.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 61185, "scanner": "repobility-threat-engine", "fingerprint": "62e9936912a3c188e2315280e207b0806d35a99dce2129a0d1376be0235152ef", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n          href={`${process.env.NEXT_PUBLIC_V0_URL}/chat/api/open?url=${url}&title=${title}`}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|apps/v4/app/ app / token|47|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/v0-button.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 61160, "scanner": "repobility-threat-engine", "fingerprint": "b8c37528ab0394887c6d0437e0be07202a30836be8b0d3645a05f22a928afd13", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|10|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/version-script-next.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 61261, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 61260, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 61259, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 61240, "scanner": "repobility-docker", "fingerprint": "bc2484a20cfdab9ab35d0347abfbd65d6127b0b0ab5930fd76f0e0a266618828", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bc2484a20cfdab9ab35d0347abfbd65d6127b0b0ab5930fd76f0e0a266618828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 61239, "scanner": "repobility-docker", "fingerprint": "1dceb0fb902520097d7a415a99f36964d6704d6df9a0d43d10959e11da34e633", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1dceb0fb902520097d7a415a99f36964d6704d6df9a0d43d10959e11da34e633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ec1852a7a635f91a208d14ba1bd8479c45dc565d20227dd3ab22ac13c602e4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/dashboard-01/components/chart-area-interactive.tsx", "duplicate_line": 5, "correlation_key": "fp|5ec1852a7a635f91a208d14ba1bd8479c45dc565d20227dd3ab22ac13c602e4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/preview-02/cards/dividend-income.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be56587b6923b1c150dc65be04616d218f0e7170a70b25c70d2aa43a9d3aa5c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/cards/claimable-balance.tsx", "duplicate_line": 28, "correlation_key": "fp|be56587b6923b1c150dc65be04616d218f0e7170a70b25c70d2aa43a9d3aa5c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/preview-02/cards/claimable-balance.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96b511ef102f7ab1e12c7687a643bf5b203c6ee0b9cfb173dfaa3aa1bac7b4ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/cards/account-access.tsx", "duplicate_line": 25, "correlation_key": "fp|96b511ef102f7ab1e12c7687a643bf5b203c6ee0b9cfb173dfaa3aa1bac7b4ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/preview-02/cards/account-access.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9889a2bfe376b459dfdd1af867b9250946c481ce5c6f9025e3d015af4dbacf6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/login-01/components/login-form.tsx", "duplicate_line": 33, "correlation_key": "fp|9889a2bfe376b459dfdd1af867b9250946c481ce5c6f9025e3d015af4dbacf6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/login-04/components/login-form.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "369a94ef01fb8de2cce83d4e27ebbb520a5233c11d85c70db004d7a903eb299c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/login-03/components/login-form.tsx", "duplicate_line": 10, "correlation_key": "fp|369a94ef01fb8de2cce83d4e27ebbb520a5233c11d85c70db004d7a903eb299c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/login-04/components/login-form.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9ee3f08606a40a4f2f0d2c7af09bc535324b9c5078e5280e3b4e8b10515ef3b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/login-02/page.tsx", "duplicate_line": 10, "correlation_key": "fp|a9ee3f08606a40a4f2f0d2c7af09bc535324b9c5078e5280e3b4e8b10515ef3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/login-03/page.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad644303a0d5a9016972ab79541dd7628703ded1ddb6df403b73a63f8ef74490", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/login-02/components/login-form.tsx", "duplicate_line": 27, "correlation_key": "fp|ad644303a0d5a9016972ab79541dd7628703ded1ddb6df403b73a63f8ef74490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/login-03/components/login-form.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c4f634c24e18cae59fba7b6cd207b781fdbb9672d5a1c677d8401281a9a269a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/registry/bases/base/blocks/login-01/components/login-form.tsx", "duplicate_line": 1, "correlation_key": "fp|8c4f634c24e18cae59fba7b6cd207b781fdbb9672d5a1c677d8401281a9a269a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/login-03/components/login-form.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68ce0d64ac1adec112b985345c50f05842f26cd982ff7862b36e54392640eadb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/components/nav-user.tsx", "duplicate_line": 30, "correlation_key": "fp|68ce0d64ac1adec112b985345c50f05842f26cd982ff7862b36e54392640eadb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/dashboard-01/components/nav-user.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed2ed16fc9713a5a452b106c69dedc03cb8d7048cfbf2e80c279966148b7ed7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/lib/llm.ts", "duplicate_line": 10, "correlation_key": "fp|ed2ed16fc9713a5a452b106c69dedc03cb8d7048cfbf2e80c279966148b7ed7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/lib/rehype.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea79af4925576c73bb46e4dd5607a21bc8ffc554a4c8f807bc278a3a3acbe1e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/components/copy-button.tsx", "duplicate_line": 7, "correlation_key": "fp|ea79af4925576c73bb46e4dd5607a21bc8ffc554a4c8f807bc278a3a3acbe1e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/hooks/use-copy-to-clipboard.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b1d09e1a19afe7ce4a4bceb9a5bab71c79a1655bef303562de74691efab02a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/create/hooks/use-theme-toggle.tsx", "duplicate_line": 14, "correlation_key": "fp|6b1d09e1a19afe7ce4a4bceb9a5bab71c79a1655bef303562de74691efab02a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/theme-provider.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63dfb2a5c3a294c291f460cfcde50162840786d60d6072e7411571c4dda39d4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/create/components/mode-switcher.tsx", "duplicate_line": 23, "correlation_key": "fp|63dfb2a5c3a294c291f460cfcde50162840786d60d6072e7411571c4dda39d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/mode-switcher.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e93d6325b3974071071cee4d83d0e6c5392f7dd78fe04cbe6d8722d91026de33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/components/docs-sidebar.tsx", "duplicate_line": 18, "correlation_key": "fp|e93d6325b3974071071cee4d83d0e6c5392f7dd78fe04cbe6d8722d91026de33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/mobile-nav.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47fbf4394a94cc86f2c1f7d3cbc93b91f2e3e0cdd2ed5036961270d7f8c64ef2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/components/docs-copy-page.tsx", "duplicate_line": 98, "correlation_key": "fp|47fbf4394a94cc86f2c1f7d3cbc93b91f2e3e0cdd2ed5036961270d7f8c64ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/docs-page-links.tsx"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4486886b3a4d86cd72b7783c407234f4b408a7c8129bc493436fe648dfc5743", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/components/cards/share.tsx", "duplicate_line": 2, "correlation_key": "fp|a4486886b3a4d86cd72b7783c407234f4b408a7c8129bc493436fe648dfc5743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/components/cards/team-members.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e8289f010f0ce5934c4ebc615be039c48234805820afbc4fb6ae6667c5a97cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(create)/preview/[base]/[name]/page.tsx", "duplicate_line": 54, "correlation_key": "fp|1e8289f010f0ce5934c4ebc615be039c48234805820afbc4fb6ae6667c5a97cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(view)/view/[style]/[name]/page.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69b6868adb0cceb20c880a967a28f94e5507bd0836e6d77892ec453297364f71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/create/lib/v0.ts", "duplicate_line": 29, "correlation_key": "fp|69b6868adb0cceb20c880a967a28f94e5507bd0836e6d77892ec453297364f71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(create)/init/md/build-instructions.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61220, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f3c5d40a61b24b9cace303d4adf80066a69dbdecd3d0dd31703d488b7dc9649", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/create/components/chart-color-picker.tsx", "duplicate_line": 66, "correlation_key": "fp|2f3c5d40a61b24b9cace303d4adf80066a69dbdecd3d0dd31703d488b7dc9649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/theme-picker.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61219, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ed49f38637ca5d94017d0077489e6f1ff133c503fccb35540eeb07ae1b4932a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/page.tsx", "duplicate_line": 19, "correlation_key": "fp|9ed49f38637ca5d94017d0077489e6f1ff133c503fccb35540eeb07ae1b4932a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/colors/layout.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61218, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71372ae0b512c25749b91ea3ae03b7225577edc496765063616d52bdbb5ab453", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/blocks/layout.tsx", "duplicate_line": 40, "correlation_key": "fp|71372ae0b512c25749b91ea3ae03b7225577edc496765063616d52bdbb5ab453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/charts/layout.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61217, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4365d54ff12ed823a2fdaeea3d48220b417619d55a2807daf32c38b7cd16f37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/page.tsx", "duplicate_line": 19, "correlation_key": "fp|d4365d54ff12ed823a2fdaeea3d48220b417619d55a2807daf32c38b7cd16f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/charts/layout.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61216, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca1f9c620b0f033e9f847ef2797d7effcc40965e0d4acdb7b93f17ae022729e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/page.tsx", "duplicate_line": 19, "correlation_key": "fp|ca1f9c620b0f033e9f847ef2797d7effcc40965e0d4acdb7b93f17ae022729e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/blocks/layout.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61215, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf960b469729e875617e4b33fcb8d76c45c0921c2d268e26d76ff9a15e9040e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(styles)/sera/edit-article/components/preview-header.tsx", "duplicate_line": 3, "correlation_key": "fp|cf960b469729e875617e4b33fcb8d76c45c0921c2d268e26d76ff9a15e9040e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library/components/preview-header.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61214, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56033006e54568d94ead548c1decf2cd7b98a42d3b8ba6284c11c25b13fdb4a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(styles)/sera/media-library-table/components/preview-header.tsx", "duplicate_line": 1, "correlation_key": "fp|56033006e54568d94ead548c1decf2cd7b98a42d3b8ba6284c11c25b13fdb4a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library/components/preview-header.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61213, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e07db92af0f087c0dedc108699077912aa879020f7ce230c806060600b65bdb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(styles)/sera/media-library-table/components/asset-table.tsx", "duplicate_line": 25, "correlation_key": "fp|0e07db92af0f087c0dedc108699077912aa879020f7ce230c806060600b65bdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library/components/asset-grid.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61212, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9d874a52bad83284b7c07a6a60b4e6176f8a5aee8d4d8050f954b6cbbae7275", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(styles)/sera/article-directory/components/article-directory.tsx", "duplicate_line": 3, "correlation_key": "fp|b9d874a52bad83284b7c07a6a60b4e6176f8a5aee8d4d8050f954b6cbbae7275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library/components/asset-grid.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61211, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c78af5e01c4a558ccabfe540c8b995e383aaecaea5d0a968e181ada8ac1c5fe2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(styles)/sera/edit-article/components/preview-header.tsx", "duplicate_line": 3, "correlation_key": "fp|c78af5e01c4a558ccabfe540c8b995e383aaecaea5d0a968e181ada8ac1c5fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library-table/components/preview-header.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61210, "scanner": "repobility-ai-code-hygiene", "fingerprint": "939cc45e2af1e278437a69b48f06a2ff41bcfd9bb797c1e477fd09cf0c8b968f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/cards/payout-threshold.tsx", "duplicate_line": 1, "correlation_key": "fp|939cc45e2af1e278437a69b48f06a2ff41bcfd9bb797c1e477fd09cf0c8b968f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/transfer-funds.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 61209, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2855e517ae16177a07c31adea1e637cf73ba8036cbfab2cd24d179db674cc111", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/v4/app/(app)/(root)/cards/index.tsx", "duplicate_line": 84, "correlation_key": "fp|2855e517ae16177a07c31adea1e637cf73ba8036cbfab2cd24d179db674cc111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/skeleton/index.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 61208, "scanner": "repobility-threat-engine", "fingerprint": "356449a2e8653d02f8fc67eacc3aaee7232cbd5de588a325dce20d0238d7b71b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|356449a2e8653d02f8fc67eacc3aaee7232cbd5de588a325dce20d0238d7b71b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/icons/create-icon-loader.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 61207, "scanner": "repobility-threat-engine", "fingerprint": "a987a8a81ed8762fe98b45087b8a11e0158e5aec966f64281d131cfd89e658de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a987a8a81ed8762fe98b45087b8a11e0158e5aec966f64281d131cfd89e658de"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 61200, "scanner": "repobility-threat-engine", "fingerprint": "72521ccc694655d32e52a82701530727dcac5ffaf5c008869d398368eb7990ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72521ccc694655d32e52a82701530727dcac5ffaf5c008869d398368eb7990ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/radix/blocks/preview-02/cards/account-access.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 61199, "scanner": "repobility-threat-engine", "fingerprint": "3da009530464942b7d81be9ae9cb6f058befcc2e2a124c92324578ba3c22bb81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3da009530464942b7d81be9ae9cb6f058befcc2e2a124c92324578ba3c22bb81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/preview-02/cards/account-access.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 61198, "scanner": "repobility-threat-engine", "fingerprint": "7aee68b990e16c9c81aa5a916ccc41170c32918028ebce5247fcacadd1f2c619", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7aee68b990e16c9c81aa5a916ccc41170c32918028ebce5247fcacadd1f2c619", "aggregated_count": 1}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 61197, "scanner": "repobility-threat-engine", "fingerprint": "641f5ce2ac1180e1d679cc456c2c79a91ee4d48069d7211d454b9002440a3c56", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|641f5ce2ac1180e1d679cc456c2c79a91ee4d48069d7211d454b9002440a3c56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases/base/blocks/preview/cards/environment-variables.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 61196, "scanner": "repobility-threat-engine", "fingerprint": "13754f69eb2fc6bc97f166c491e1ac25d29a65764cbd386fb11de468001a3f0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13754f69eb2fc6bc97f166c491e1ac25d29a65764cbd386fb11de468001a3f0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/examples/radix/input-badge.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 61195, "scanner": "repobility-threat-engine", "fingerprint": "4a8097c9ea1a3dd37e3d4383f7cf2730dae49b9085ae59d535f04022373e61da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a8097c9ea1a3dd37e3d4383f7cf2730dae49b9085ae59d535f04022373e61da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/examples/base/input-badge.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 61194, "scanner": "repobility-threat-engine", "fingerprint": "a300951bf3798c48bc8d59611c317aa9e006b7ff8021c3620ea21ed81be60dc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a300951bf3798c48bc8d59611c317aa9e006b7ff8021c3620ea21ed81be60dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/registry/bases.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 61193, "scanner": "repobility-threat-engine", "fingerprint": "e40fbf832926d9e120325db27e264c17e3852e57c84ff7625409550c6a9a37e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e40fbf832926d9e120325db27e264c17e3852e57c84ff7625409550c6a9a37e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/rss.xml/route.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 61191, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 61184, "scanner": "repobility-threat-engine", "fingerprint": "e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 61180, "scanner": "repobility-threat-engine", "fingerprint": "d8964d329792103608480cfc9c4ebb3dac5ecc10d3866bbd8caab3508a370874", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d8964d329792103608480cfc9c4ebb3dac5ecc10d3866bbd8caab3508a370874", "aggregated_count": 12}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 61179, "scanner": "repobility-threat-engine", "fingerprint": "171bb773157bbd0272668a1dd74d68496498a36088a740bd7ce1158bbedd84c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|171bb773157bbd0272668a1dd74d68496498a36088a740bd7ce1158bbedd84c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/history-buttons.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 61178, "scanner": "repobility-threat-engine", "fingerprint": "6f4e18c58532c181b013a284b8aab727b4a6e48666470f5c2971e7f5c59749f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f4e18c58532c181b013a284b8aab727b4a6e48666470f5c2971e7f5c59749f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/base-picker.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 61177, "scanner": "repobility-threat-engine", "fingerprint": "70d08f2d725f8902358fa72e83f47f11401bca48843f90aa6a87363739e19c2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70d08f2d725f8902358fa72e83f47f11401bca48843f90aa6a87363739e19c2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/action-menu.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 61176, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 86 more): Same pattern found in 86 additional files. Review if needed."}, "properties": {"repobilityId": 61172, "scanner": "repobility-threat-engine", "fingerprint": "f144703ac705eb9662ff2c673281a5081d675b173c53433bd1b3e5d94a35e946", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 86 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f144703ac705eb9662ff2c673281a5081d675b173c53433bd1b3e5d94a35e946", "aggregated_count": 86}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 61171, "scanner": "repobility-threat-engine", "fingerprint": "9a40009e78f4d8d23e3e37d9172bca4d610badbda672b7d232d4dae19f0d7ff2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a40009e78f4d8d23e3e37d9172bca4d610badbda672b7d232d4dae19f0d7ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/skeleton/power-usage.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 61170, "scanner": "repobility-threat-engine", "fingerprint": "8409286a3e0698be4edd67eb38acaf2c03f21a338009d3264c78b576590c2010", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8409286a3e0698be4edd67eb38acaf2c03f21a338009d3264c78b576590c2010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/skeleton/dividend-income.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 61169, "scanner": "repobility-threat-engine", "fingerprint": "200c92a8a8e864ca78164aa518e8df3c9cd77b92edee52aa93f520d0cc8a8ffe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|200c92a8a8e864ca78164aa518e8df3c9cd77b92edee52aa93f520d0cc8a8ffe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/skeleton/contribution-history.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 61168, "scanner": "repobility-threat-engine", "fingerprint": "8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "aggregated_count": 12}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 61167, "scanner": "repobility-threat-engine", "fingerprint": "66459bc6e8fdfb0c16e96e38a08767ae8dcb51046bd209c05793dc6913d7cc4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66459bc6e8fdfb0c16e96e38a08767ae8dcb51046bd209c05793dc6913d7cc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/components/lazy-preview.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 61166, "scanner": "repobility-threat-engine", "fingerprint": "01a1b8bfde3ca738856f438d43ce9169d5dae46ad066603323b39d070ce07260", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01a1b8bfde3ca738856f438d43ce9169d5dae46ad066603323b39d070ce07260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/skeleton/index.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 61165, "scanner": "repobility-threat-engine", "fingerprint": "003f72fc7af453f63844a34599485a6e105927305871c12475fd1070bf81846d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|003f72fc7af453f63844a34599485a6e105927305871c12475fd1070bf81846d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(root)/cards/index.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 61164, "scanner": "repobility-threat-engine", "fingerprint": "5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "aggregated_count": 10}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61163, "scanner": "repobility-threat-engine", "fingerprint": "3a6a54e8d03d5ffe420360b033b0fb62f9d41912999ac077e00a6d968b2a893d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a6a54e8d03d5ffe420360b033b0fb62f9d41912999ac077e00a6d968b2a893d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/examples/tasks/data/seed.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61162, "scanner": "repobility-threat-engine", "fingerprint": "09ba302d006f26b5c3572c2d3a44cd67b6b413cf552889c02e3e0e553323528d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09ba302d006f26b5c3572c2d3a44cd67b6b413cf552889c02e3e0e553323528d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/version-script-prerelease.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61161, "scanner": "repobility-threat-engine", "fingerprint": "130ad8c2b48022fd14756d340ae346917745e026f69c2533c7ab73dd12046b7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|130ad8c2b48022fd14756d340ae346917745e026f69c2533c7ab73dd12046b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/version-script-next.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61300, "scanner": "repobility-supply-chain", "fingerprint": "8be6ee70a62679ced23e36efb42ff86498d1cb9dbf7804c82266597d25f0a062", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8be6ee70a62679ced23e36efb42ff86498d1cb9dbf7804c82266597d25f0a062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease-comment.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61299, "scanner": "repobility-supply-chain", "fingerprint": "0f2ce1672638b637ed506f1f1447744a8691c03b9b8ccdff6a68dd45e7fda8d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f2ce1672638b637ed506f1f1447744a8691c03b9b8ccdff6a68dd45e7fda8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease-comment.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61298, "scanner": "repobility-supply-chain", "fingerprint": "10d87bf4e0214bf10a0f01f6d3f3dce1b609a138e2a1d597762f7f074f0ed7df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10d87bf4e0214bf10a0f01f6d3f3dce1b609a138e2a1d597762f7f074f0ed7df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease-comment.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61297, "scanner": "repobility-supply-chain", "fingerprint": "18459b7ec72f146d1e8db9ecbf5cec5fc3303c495bd61b827af6641ae2baa824", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18459b7ec72f146d1e8db9ecbf5cec5fc3303c495bd61b827af6641ae2baa824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v3`: `uses: actions/cache@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61296, "scanner": "repobility-supply-chain", "fingerprint": "098970c2ab387963565677a2ee2aa20805721c0f5f88c4375faa4761488c3260", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|098970c2ab387963565677a2ee2aa20805721c0f5f88c4375faa4761488c3260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61295, "scanner": "repobility-supply-chain", "fingerprint": "47726eff6fcd90932d8606578d054cde63d372d13b50ff5ccb6b783006d1352c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47726eff6fcd90932d8606578d054cde63d372d13b50ff5ccb6b783006d1352c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61294, "scanner": "repobility-supply-chain", "fingerprint": "e3a149c2f5e74de7fb8fdf2204700e6f6ba8774804b2e342a41552ba9fe41097", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3a149c2f5e74de7fb8fdf2204700e6f6ba8774804b2e342a41552ba9fe41097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61293, "scanner": "repobility-supply-chain", "fingerprint": "d2b09088c43ce84e0250f0c5f5b98a346e82e9197f8dff50508b3f027a046e8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2b09088c43ce84e0250f0c5f5b98a346e82e9197f8dff50508b3f027a046e8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61292, "scanner": "repobility-supply-chain", "fingerprint": "551fdfd64c2741c212f2d1494ce57a6359a701d9698212b51291da610423024c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|551fdfd64c2741c212f2d1494ce57a6359a701d9698212b51291da610423024c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/lint-repo.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61291, "scanner": "repobility-supply-chain", "fingerprint": "2a87f5f75163cb2d4c307f939f64b50e574ac136eb46d092d4f078fb9532274b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a87f5f75163cb2d4c307f939f64b50e574ac136eb46d092d4f078fb9532274b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/lint-repo.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61290, "scanner": "repobility-supply-chain", "fingerprint": "fda8dc3f2c13bbdc0b7a2698ddc2eb78aca350c09feafadeee1ce065a1991cff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fda8dc3f2c13bbdc0b7a2698ddc2eb78aca350c09feafadeee1ce065a1991cff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/no-response.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61289, "scanner": "repobility-supply-chain", "fingerprint": "6e0281e7e8d3d5d24f16b1dd873facd32801290246c22717f86a89b2b32c1b08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e0281e7e8d3d5d24f16b1dd873facd32801290246c22717f86a89b2b32c1b08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/format-repo.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61288, "scanner": "repobility-supply-chain", "fingerprint": "0a973ae3b3296e74597acd4ebd0c33ee6321dcd1d5e738b5b76104173e54beb2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a973ae3b3296e74597acd4ebd0c33ee6321dcd1d5e738b5b76104173e54beb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/format-repo.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `superfly/flyctl-actions/setup-flyctl` pinned to mutable ref `@v1`: `uses: superfly/flyctl-actions/setup-flyctl@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61285, "scanner": "repobility-supply-chain", "fingerprint": "3e42276020b129e27c68b4574b1e3726e389956ad9331102790eb97e6d392061", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e42276020b129e27c68b4574b1e3726e389956ad9331102790eb97e6d392061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SebRollen/toml-action` pinned to mutable ref `@v1.2.0`: `uses: SebRollen/toml-action@v1.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61284, "scanner": "repobility-supply-chain", "fingerprint": "3775bbba9cd6700130f8d467c7de7c6a475d8294b27e7dc1d47cf6ff5d764d6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3775bbba9cd6700130f8d467c7de7c6a475d8294b27e7dc1d47cf6ff5d764d6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61283, "scanner": "repobility-supply-chain", "fingerprint": "c887976c9615aa236ffae53f432234c88da6e5441b0e70d82022f12acc5c4aea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c887976c9615aa236ffae53f432234c88da6e5441b0e70d82022f12acc5c4aea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cypress-io/github-action` pinned to mutable ref `@v6`: `uses: cypress-io/github-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61282, "scanner": "repobility-supply-chain", "fingerprint": "ecaee0b07e646f3bd6ddd0a31b59e878f1fa8d53db78049e9d76367a42e66c87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecaee0b07e646f3bd6ddd0a31b59e878f1fa8d53db78049e9d76367a42e66c87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61281, "scanner": "repobility-supply-chain", "fingerprint": "74817e97af29b80a7a40893ca8f6e0b7eb450561ea60e9656a628fc78c94ac5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74817e97af29b80a7a40893ca8f6e0b7eb450561ea60e9656a628fc78c94ac5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61280, "scanner": "repobility-supply-chain", "fingerprint": "5d0a1cc5b19ca1340bab25f566311b6ab1aabfc53bfb870ff9bec7cf21d75e7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d0a1cc5b19ca1340bab25f566311b6ab1aabfc53bfb870ff9bec7cf21d75e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61279, "scanner": "repobility-supply-chain", "fingerprint": "4d981996c0066c30f4008b9f8e76163cc17c7b1bd5eae6638fe6c009069024f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d981996c0066c30f4008b9f8e76163cc17c7b1bd5eae6638fe6c009069024f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61278, "scanner": "repobility-supply-chain", "fingerprint": "20c952fa6bd7d4f8fb830bb284a57c50927470986b2969334403ea04c4d64141", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20c952fa6bd7d4f8fb830bb284a57c50927470986b2969334403ea04c4d64141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61277, "scanner": "repobility-supply-chain", "fingerprint": "fb1e4a7ff59412e9c424c854a266f575a79de720786fd9045330a195d7d297cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb1e4a7ff59412e9c424c854a266f575a79de720786fd9045330a195d7d297cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61276, "scanner": "repobility-supply-chain", "fingerprint": "3f6fdaf0465d93dc48130d2d89ad27422b3ac97198625e50916264715c88b452", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f6fdaf0465d93dc48130d2d89ad27422b3ac97198625e50916264715c88b452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61275, "scanner": "repobility-supply-chain", "fingerprint": "59a9e1b3d6727898877703115baad529846cc119bc589b8afe29d174c84f7d76", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59a9e1b3d6727898877703115baad529846cc119bc589b8afe29d174c84f7d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 61274, "scanner": "repobility-supply-chain", "fingerprint": "8710cd806941dde996f8b083b6b43a73fe75dd235469447e7f9bbe0698f39ba1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8710cd806941dde996f8b083b6b43a73fe75dd235469447e7f9bbe0698f39ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gitpod/workspace-full (no tag)` not pinned by digest: `FROM gitpod/workspace-full (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61273, "scanner": "repobility-supply-chain", "fingerprint": "ecda83b5a72a160fa68763ca2a33b1a896bf339b4189e3481e02691dd2e82dde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecda83b5a72a160fa68763ca2a33b1a896bf339b4189e3481e02691dd2e82dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.gitpod.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:18-bullseye-slim` not pinned by digest: `FROM node:18-bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61272, "scanner": "repobility-supply-chain", "fingerprint": "6b9d1ec767fed6c5b780546fe43fbe1ab1f1ddfdf946d0dd22d2b37a9d1f29d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b9d1ec767fed6c5b780546fe43fbe1ab1f1ddfdf946d0dd22d2b37a9d1f29d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61271, "scanner": "repobility-supply-chain", "fingerprint": "1a69b2e7c71cff18e8829c2b2a00c2c19142bc0246ba635489c6ebf2771b3c37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a69b2e7c71cff18e8829c2b2a00c2c19142bc0246ba635489c6ebf2771b3c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61270, "scanner": "repobility-supply-chain", "fingerprint": "df202dda10ce60285f26f62dea53ce5c2bc8f5b113edec7eef271a0b7807e294", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df202dda10ce60285f26f62dea53ce5c2bc8f5b113edec7eef271a0b7807e294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61269, "scanner": "repobility-supply-chain", "fingerprint": "41faa9808dfdd7b8f28dc14b6285bb300bac5651bd945bc4f1f4ab63f37dbb4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41faa9808dfdd7b8f28dc14b6285bb300bac5651bd945bc4f1f4ab63f37dbb4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61268, "scanner": "repobility-supply-chain", "fingerprint": "46b79ff48c6c74c8159dfd41568ef1a8fd6729a76689cb6247215351bf4744b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46b79ff48c6c74c8159dfd41568ef1a8fd6729a76689cb6247215351bf4744b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61267, "scanner": "repobility-supply-chain", "fingerprint": "0d91336cd7933bc0939c9f56d7ce0195ebf864e8860f203e328da3c202a8ab78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d91336cd7933bc0939c9f56d7ce0195ebf864e8860f203e328da3c202a8ab78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61266, "scanner": "repobility-supply-chain", "fingerprint": "d97ed02ea3ea653aeb2a295abb4c9dd37dc96acbd1bf0548b1de55d146563b7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d97ed02ea3ea653aeb2a295abb4c9dd37dc96acbd1bf0548b1de55d146563b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61265, "scanner": "repobility-supply-chain", "fingerprint": "789084062ff842662a68646925f75d9f593d6790c0b2bc800be0b106f88b744f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|789084062ff842662a68646925f75d9f593d6790c0b2bc800be0b106f88b744f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 61264, "scanner": "repobility-supply-chain", "fingerprint": "ee324bd2241ae211b146652359f63eceedf061bbc698aa5306601cc471fdecd6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee324bd2241ae211b146652359f63eceedf061bbc698aa5306601cc471fdecd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 61248, "scanner": "repobility-docker", "fingerprint": "9a74d37bbaa90f9732c4600812aeb338a99e95a546a2bd3ea76fc802e8c5e2ba", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9a74d37bbaa90f9732c4600812aeb338a99e95a546a2bd3ea76fc802e8c5e2ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 61247, "scanner": "repobility-docker", "fingerprint": "3305ad6520ad788c22349c07a7e260f0b38ad4a8cb98974c11f49c9ff7b3ee15", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3305ad6520ad788c22349c07a7e260f0b38ad4a8cb98974c11f49c9ff7b3ee15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-monorepo/apps/web/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 61244, "scanner": "repobility-docker", "fingerprint": "7f01958ce6fedef60b048b9beb72024ff06fc317f747af11b0f5240c5feb327b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7f01958ce6fedef60b048b9beb72024ff06fc317f747af11b0f5240c5feb327b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 61243, "scanner": "repobility-docker", "fingerprint": "601ef5e2bee2fa7dd18eb85fba5998e7065301c9abdef874630819a4a454f0a7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|601ef5e2bee2fa7dd18eb85fba5998e7065301c9abdef874630819a4a454f0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/react-router-app/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 61190, "scanner": "repobility-threat-engine", "fingerprint": "f21ec6bb28106807d0253eebcb66d0a8e7d9e8d9e277128724c9d01506820dd8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f21ec6bb28106807d0253eebcb66d0a8e7d9e8d9e277128724c9d01506820dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/og/route.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 61189, "scanner": "repobility-threat-engine", "fingerprint": "38604e4afedbe2663471cb194ec098036168fd396a4467832ff5ca12d6221753", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38604e4afedbe2663471cb194ec098036168fd396a4467832ff5ca12d6221753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/layout.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 61188, "scanner": "repobility-threat-engine", "fingerprint": "dcd029df14ff3ad0ba8f6d45a9d55eb9844e8541b9e0bf5aebefd07af6b16432", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcd029df14ff3ad0ba8f6d45a9d55eb9844e8541b9e0bf5aebefd07af6b16432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/docs/[[...slug]]/page.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 61183, "scanner": "repobility-threat-engine", "fingerprint": "c49c367eca95f963979c2ec2c636a0897b724caa72ad5bb9f609246878c5a771", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n  (_, i, a) => `v1.2.0-beta.${a.length - i}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c49c367eca95f963979c2ec2c636a0897b724caa72ad5bb9f609246878c5a771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/examples/base/scroll-area-demo.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 61182, "scanner": "repobility-threat-engine", "fingerprint": "612c2c194ee975900b2efef511a726d02c0f189a935139a1ba132eeb013057d3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `  --${key}: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|612c2c194ee975900b2efef511a726d02c0f189a935139a1ba132eeb013057d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(create)/init/md/build-instructions.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 61181, "scanner": "repobility-threat-engine", "fingerprint": "f2efb288973ba27aa2b66b921a016d52c0e6c631d504d20c4b5bdeef6da76008", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `  --${key}: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2efb288973ba27aa2b66b921a016d52c0e6c631d504d20c4b5bdeef6da76008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/components/design-system-provider.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 61175, "scanner": "repobility-threat-engine", "fingerprint": "6cd38089312801dd1e88873a727df019633b5662cb3c6f76862e3ef1ba1a93e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(param)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6cd38089312801dd1e88873a727df019633b5662cb3c6f76862e3ef1ba1a93e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/hooks/use-locks.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 61174, "scanner": "repobility-threat-engine", "fingerprint": "ae9b0162ea86c77a81d24e6db89069e6dbe2575ee71ab3350f7c8a84fb425abc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete(\"preset\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae9b0162ea86c77a81d24e6db89069e6dbe2575ee71ab3350f7c8a84fb425abc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/create/hooks/use-history.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 61173, "scanner": "repobility-threat-engine", "fingerprint": "85d6fe8701a5f23c0ceb6abaf2c7201766e18b94921f8d352d1b197c76254db1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85d6fe8701a5f23c0ceb6abaf2c7201766e18b94921f8d352d1b197c76254db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/v4/app/(app)/(styles)/sera/media-library-table/components/asset-table.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_GPG_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_GPG_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 61301, "scanner": "repobility-supply-chain", "fingerprint": "1a4b22a776469fb5b2fd001c33bf6ea2108ce838a799cabd6b89c2c31e234453", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a4b22a776469fb5b2fd001c33bf6ea2108ce838a799cabd6b89c2c31e234453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 61287, "scanner": "repobility-supply-chain", "fingerprint": "207a1daf08c3a8d72b9d554892de917154841536136a4e8012f2c94fc81006ac", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|207a1daf08c3a8d72b9d554892de917154841536136a4e8012f2c94fc81006ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FLY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FLY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 61286, "scanner": "repobility-supply-chain", "fingerprint": "c190a5bb4950243831e2a6e82f48b8ea400cc15868d8c324c404dfaf01297dce", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c190a5bb4950243831e2a6e82f48b8ea400cc15868d8c324c404dfaf01297dce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shadcn/test/fixtures/frameworks/remix-indie-stack/.github/workflows/deploy.yml"}, "region": {"startLine": 138}}}]}]}]}