{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a di", "shortDescription": {"text": "[MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs ne"}, "fullDescription": {"text": "Replace `}` with `}==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /${"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_format_parameter_diff` has cognitive complexity 16 (SonarSource scale). ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_format_parameter_diff` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `benchmark` image is selected through a build variable", "shortDescription": {"text": "Compose service `benchmark` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 7 more): Same pattern found in 7 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED024] Js Eval Usage (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 33 more): Same pattern found in 33 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 47 more): Same pattern found in 47 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 88 more): Same pattern found in 88 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 88 more): Same pattern found in 88 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutab", "shortDescription": {"text": "[MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0` re"}, "fullDescription": {"text": "Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha>  # v2.1.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-", "shortDescription": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or g"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24.15.0` not pinned by digest: `FROM node:24.15.0` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24.15.0` not pinned by digest: `FROM node:24.15.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM node:24.15.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_format_method_in_call_chain_allowed: Test function `test_format_method_in_call_ch", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_format_method_in_call_chain_allowed: Test function `test_format_method_in_call_chain_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line cove"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator`", "shortDescription": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Attr"}, "fullDescription": {"text": "Initialize `self._add_violation = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_req", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/718"}, "properties": {"repository": "n8n-io/n8n", "repoUrl": "https://github.com/n8n-io/n8n", "branch": "master"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58369, "scanner": "repobility-supply-chain", "fingerprint": "a8ab68eeb3e64b7a8ca8acc974686fcf6e0e989c3ae49901f8821c2da3b127f7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8ab68eeb3e64b7a8ca8acc974686fcf6e0e989c3ae49901f8821c2da3b127f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `extract(workflow: WorkflowEntity): TRequirement[];` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58368, "scanner": "repobility-supply-chain", "fingerprint": "06632af67d12f5b3d045cb9ba2c00e2a5a2c07ac6e25b93ef90aa47b3ec12204", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06632af67d12f5b3d045cb9ba2c00e2a5a2c07ac6e25b93ef90aa47b3ec12204"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `export interface RequirementsExtractor<TRequirement> {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58367, "scanner": "repobility-supply-chain", "fingerprint": "062476272ae1b870f549870f6724edd0bffb78b0188451c4f8d4312741d70c19", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|062476272ae1b870f549870f6724edd0bffb78b0188451c4f8d4312741d70c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58358, "scanner": "repobility-ast-engine", "fingerprint": "5c8762560684d4f4dba198aabee9092695382b54fcb222aa9d17838b33e71f82", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c8762560684d4f4dba198aabee9092695382b54fcb222aa9d17838b33e71f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58357, "scanner": "repobility-ast-engine", "fingerprint": "0deba86e33eec331eeec5c0b6698cb73ef88c1bb806d3d363ae146dc5ae37210", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0deba86e33eec331eeec5c0b6698cb73ef88c1bb806d3d363ae146dc5ae37210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58356, "scanner": "repobility-ast-engine", "fingerprint": "6d03bce2b4e22a2e557c1de7d0b3225237dd27676546e9ce72743750da5a24f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d03bce2b4e22a2e557c1de7d0b3225237dd27676546e9ce72743750da5a24f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58355, "scanner": "repobility-ast-engine", "fingerprint": "b73709a8a58d54e182dd9bf3e9641085b8e5506eb169ab121e3a22e607a4d677", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b73709a8a58d54e182dd9bf3e9641085b8e5506eb169ab121e3a22e607a4d677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58354, "scanner": "repobility-ast-engine", "fingerprint": "a41c8a25c038719ee0517f7da77899ca6733ab6a315007c84d1ba46688099529", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a41c8a25c038719ee0517f7da77899ca6733ab6a315007c84d1ba46688099529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58353, "scanner": "repobility-ast-engine", "fingerprint": "547021ee328bc03f0da5876c7931451d9e8540b7303e290350dc9c62312d8391", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|547021ee328bc03f0da5876c7931451d9e8540b7303e290350dc9c62312d8391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58327, "scanner": "repobility-ast-engine", "fingerprint": "362a14415dc11d7a56b49c5fb7fbc8017f0ab893cd087b705c78b8afd11ab069", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|362a14415dc11d7a56b49c5fb7fbc8017f0ab893cd087b705c78b8afd11ab069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_executor.py"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58326, "scanner": "repobility-ast-engine", "fingerprint": "d4f28e88699bf9542dd28354b3487e4dd1a279dae3fc1c56759d5d84e557775b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4f28e88699bf9542dd28354b3487e4dd1a279dae3fc1c56759d5d84e557775b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_executor.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58325, "scanner": "repobility-ast-engine", "fingerprint": "2724a0dc441a2fda0877481b20e2705875f808842eac95c1681f8251abaf0e82", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2724a0dc441a2fda0877481b20e2705875f808842eac95c1681f8251abaf0e82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_executor.py"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 58324, "scanner": "repobility-ast-engine", "fingerprint": "2695e3ee2aa8003bdc87fe8c6b61b7bb364749f2729abeb8d74678d57e747797", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2695e3ee2aa8003bdc87fe8c6b61b7bb364749f2729abeb8d74678d57e747797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/pipe_reader.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58296, "scanner": "repobility-journey-contract", "fingerprint": "e6304ce3f606180f9a8913d71cb6b09aa53f958f7fc8e64e7b82ac3771d0593b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/video-generation/video-synthesis", "correlation_key": "fp|e6304ce3f606180f9a8913d71cb6b09aa53f958f7fc8e64e7b82ac3771d0593b", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/video/generate.t2v.operation.ts"}, "region": {"startLine": 238}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58295, "scanner": "repobility-journey-contract", "fingerprint": "a1f2532c2e63df1ee2b81dba3f6c736323c58d9f351b8cd0c3c4431e33a9df9f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/video-generation/video-synthesis", "correlation_key": "fp|a1f2532c2e63df1ee2b81dba3f6c736323c58d9f351b8cd0c3c4431e33a9df9f", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/video/generate.i2v.operation.ts"}, "region": {"startLine": 300}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58294, "scanner": "repobility-journey-contract", "fingerprint": "040846a25653c8b09b717a811da8c93cba434f190107f32126e46a7aa76d3b3c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/text-generation/generation", "correlation_key": "fp|040846a25653c8b09b717a811da8c93cba434f190107f32126e46a7aa76d3b3c", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/text/message.operation.ts"}, "region": {"startLine": 349}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58293, "scanner": "repobility-journey-contract", "fingerprint": "2398630b9789efdc06cbc94b887e77a8af3082d91b61e2ca4267016465e57d8e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/multimodal-generation/generation", "correlation_key": "fp|2398630b9789efdc06cbc94b887e77a8af3082d91b61e2ca4267016465e57d8e", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/text/message.operation.ts"}, "region": {"startLine": 348}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58292, "scanner": "repobility-journey-contract", "fingerprint": "7d6faf539e0efbc6c241370c5df3ae188dfed9b60902f49ade7c26e73a988bc3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/multimodal-generation/generation", "correlation_key": "fp|7d6faf539e0efbc6c241370c5df3ae188dfed9b60902f49ade7c26e73a988bc3", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/image/generate.operation.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58291, "scanner": "repobility-journey-contract", "fingerprint": "f536455355486a69978363b15e98830ed361618663a3409b60499b53e51196ce", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/services/aigc/multimodal-generation/generation", "correlation_key": "fp|f536455355486a69978363b15e98830ed361618663a3409b60499b53e51196ce", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/image/analyze.operation.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58290, "scanner": "repobility-journey-contract", "fingerprint": "ce8ae400876275ec284572b46ec3ab870fe895dd0dce3485d77f69fc1b571b6f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/tags", "correlation_key": "fp|ce8ae400876275ec284572b46ec3ab870fe895dd0dce3485d77f69fc1b571b6f", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/llms/LMOllama/description.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58289, "scanner": "repobility-journey-contract", "fingerprint": "861f3fa7b9ca1b82538f4c7270f79916540121e125541a176d1e76a4d9d97c64", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/collection", "correlation_key": "fp|861f3fa7b9ca1b82538f4c7270f79916540121e125541a176d1e76a4d9d97c64", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/credentials/ZepApi.credentials.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58288, "scanner": "repobility-journey-contract", "fingerprint": "bdb2bff747b431623499d83f4223eca1b454e7a8d1572c1308d6e5f88ca86522", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/tags", "correlation_key": "fp|bdb2bff747b431623499d83f4223eca1b454e7a8d1572c1308d6e5f88ca86522", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/credentials/OllamaApi.credentials.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58287, "scanner": "repobility-journey-contract", "fingerprint": "66276c98c7b8012331db74feffb3a61ad8bd807d88908b6ecf2727da67cc0689", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/whoami-v2", "correlation_key": "fp|66276c98c7b8012331db74feffb3a61ad8bd807d88908b6ecf2727da67cc0689", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/credentials/HuggingFaceApi.credentials.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58286, "scanner": "repobility-journey-contract", "fingerprint": "bec92ad5a1b27a279cdeca34883d61636e263be1ac74a0add964aafe4675462a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2/heartbeat", "correlation_key": "fp|bec92ad5a1b27a279cdeca34883d61636e263be1ac74a0add964aafe4675462a", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/credentials/ChromaSelfHostedApi.credentials.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58285, "scanner": "repobility-journey-contract", "fingerprint": "495261199cdd05c96031ca6e8d97a8d0c6f29e9f4bd34a7ebf1fc46561c4bd59", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2", "correlation_key": "fp|495261199cdd05c96031ca6e8d97a8d0c6f29e9f4bd34a7ebf1fc46561c4bd59", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/credentials/ChromaCloudApi.credentials.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58284, "scanner": "repobility-journey-contract", "fingerprint": "dac42939e50f461428a8f6a7a588f9fd76dee810d5eee95556f4cb7f8bb03c73", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|dac42939e50f461428a8f6a7a588f9fd76dee810d5eee95556f4cb7f8bb03c73", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/cli/src/client.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 58283, "scanner": "repobility-journey-contract", "fingerprint": "3f0378c4be35765e71665fe59d62d66b304bf34167ffb23aaabac8991abb02e7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|3f0378c4be35765e71665fe59d62d66b304bf34167ffb23aaabac8991abb02e7", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/cli/src/client.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /${this.restEndpoint}/options/timezones."}, "properties": {"repobilityId": 58282, "scanner": "repobility-access-control", "fingerprint": "17de32feaf17b6483daee238936592b50b12c94a4cc09de5955e49ca9e626f20", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/${this.restEndpoint}/options/timezones", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|packages/cli/src/server.ts|240|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/server.ts"}, "region": {"startLine": 240}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 58281, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 1, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 58280, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 58253, "scanner": "repobility-docker", "fingerprint": "d8fbc5ddd6f1fc7fd6164f1e984f60d255013532db05849b1c513e22ae7c6255", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|d8fbc5ddd6f1fc7fd6164f1e984f60d255013532db05849b1c513e22ae7c6255", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 58235, "scanner": "repobility-docker", "fingerprint": "3d3eb6de50bd1599404c3978fb72713ca59f9650434a200dfdf52316a75e1eed", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|3d3eb6de50bd1599404c3978fb72713ca59f9650434a200dfdf52316a75e1eed", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 58220, "scanner": "repobility-docker", "fingerprint": "125514bbaabcb98bd9f3253bd0587320d15eceb8e43a497130d7ce6cf94cebbb", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|125514bbaabcb98bd9f3253bd0587320d15eceb8e43a497130d7ce6cf94cebbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 58213, "scanner": "repobility-docker", "fingerprint": "3e3af7c3e4b233166f603ff812b3a1f455b48e3e9994ec1524b5f86e221c6d2c", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3e3af7c3e4b233166f603ff812b3a1f455b48e3e9994ec1524b5f86e221c6d2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 58211, "scanner": "repobility-docker", "fingerprint": "2ffb5ed7ddcef158ea05c7daff5d820635646f47426080488cb2967e3e1dabbb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ffb5ed7ddcef158ea05c7daff5d820635646f47426080488cb2967e3e1dabbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/testing/containers/dockerfiles/kent/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 58207, "scanner": "repobility-docker", "fingerprint": "22c36cd2b3f8cf25b80e4627f0bc1cf9f0cdc96ee29f20bf486d1f639063d7b4", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gcr.io/distroless/cc-debian12:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|22c36cd2b3f8cf25b80e4627f0bc1cf9f0cdc96ee29f20bf486d1f639063d7b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 180}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 58197, "scanner": "repobility-docker", "fingerprint": "401d450f6c0d9d63e57f97c54c7a373a28c16a8de7890801b2af470a56b212ea", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "dhi.io/node:24.15.0-alpine3.22-dev@sha256:a7eead704e9bd2d7a4c1b52cf595848f180365eba7c15a185ce1c3a690c1a19d", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|401d450f6c0d9d63e57f97c54c7a373a28c16a8de7890801b2af470a56b212ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/n8n-base/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58192, "scanner": "repobility-agent-runtime", "fingerprint": "fb7745e4dae3fed5a6bd63da87dde1a19aa36706a809254a4de6f2a7ad1588c5", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fb7745e4dae3fed5a6bd63da87dde1a19aa36706a809254a4de6f2a7ad1588c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/README.md"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 58177, "scanner": "repobility-threat-engine", "fingerprint": "7ddd052cc4741aefd271055a8805bdc9a1824f1a7836b1d266fc7c16630ec002", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n\t\treturn null;\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ddd052cc4741aefd271055a8805bdc9a1824f1a7836b1d266fc7c16630ec002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/mcp/shared/utils.ts"}, "region": {"startLine": 336}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 58176, "scanner": "repobility-threat-engine", "fingerprint": "fc003f6a8b03d581d5519c4d6d33c140501dc63fc715e73446a653452bce1fea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n\t\treturn null;\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc003f6a8b03d581d5519c4d6d33c140501dc63fc715e73446a653452bce1fea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/node-cli/src/utils/json.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 58173, "scanner": "repobility-threat-engine", "fingerprint": "52b88beeec2474d1c219fbc052d6ce245a54cb521a8eb6f151c707e553ecdac5", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = '<redacted>'", "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|packages/ token|5|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/instance-ai/src/error-formatting.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 58160, "scanner": "repobility-threat-engine", "fingerprint": "86e16beb75970f2b839bf18e157f1ead6135ddbd05a7a6bee18d2b3f489281bc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 100),\n\t\t\tbirthDate: new Date(),\n\t\t\tisActiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86e16beb75970f2b839bf18e157f1ead6135ddbd05a7a6bee18d2b3f489281bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scenarios/data-table-node/data-table-node.script.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_format_parameter_diff` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, for=3, if=4, nested_bonus=7, recursion=1."}, "properties": {"repobilityId": 58146, "scanner": "repobility-threat-engine", "fingerprint": "f8d00f7f54fc965c5390b0b962d4df7944948c3ff4816b1f323ee24e3afaa0bd", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_format_parameter_diff", "breakdown": {"if": 4, "for": 3, "elif": 1, "recursion": 1, "nested_bonus": 7}, "complexity": 16, "correlation_key": "fp|f8d00f7f54fc965c5390b0b962d4df7944948c3ff4816b1f323ee24e3afaa0bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `format_output_summary` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=3, for=1, if=5, nested_bonus=7."}, "properties": {"repobilityId": 58145, "scanner": "repobility-threat-engine", "fingerprint": "a480eae96b1a524f29de23b703b1b6340067b188af3965425001fc2caeba7c1b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "format_output_summary", "breakdown": {"if": 5, "for": 1, "elif": 1, "else": 3, "nested_bonus": 7}, "complexity": 17, "correlation_key": "fp|a480eae96b1a524f29de23b703b1b6340067b188af3965425001fc2caeba7c1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 58140, "scanner": "repobility-threat-engine", "fingerprint": "5af702edea3879242e702548b86e377a4a214c1bc25dc89f727b3db69b729e36", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://docs.n8n.io/advanced-ai/intro-tutorial/\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|packages/ token|54|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/agents/Agent/V2/AgentV2.node.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 58139, "scanner": "repobility-threat-engine", "fingerprint": "0e9fd02165dd3f0b0edc0b2c32286a9fe01926e387324b89ce750e271143bb0e", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a target=\"_blank\" href=\"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Ob", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|packages/ token|144|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/expression-runtime/src/extensions/number-extensions.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 58138, "scanner": "repobility-threat-engine", "fingerprint": "fea93a7b358e9c509af154c5390c16b7b14827cfc8ff9379c879501ce013d941", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"/templates/${templateId}\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|packages/ token|39|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/utils/shared-fields.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58124, "scanner": "repobility-threat-engine", "fingerprint": "ad469e2d24e34e40122844a04e1dc0e3a534527dff0c1bbe26431502a6b21c99", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad469e2d24e34e40122844a04e1dc0e3a534527dff0c1bbe26431502a6b21c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/sdk/mcp-client.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58123, "scanner": "repobility-threat-engine", "fingerprint": "859591600189f33e048cefefbb3ac5ce0eae73d963ca43fd9e1b1fa9c8b3bb76", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|859591600189f33e048cefefbb3ac5ce0eae73d963ca43fd9e1b1fa9c8b3bb76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/runtime-helpers.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58122, "scanner": "repobility-threat-engine", "fingerprint": "d1df1b25e0cc3febf87b340813be0076081a3e4ba2feee005c44ac3c2348a8e3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1df1b25e0cc3febf87b340813be0076081a3e4ba2feee005c44ac3c2348a8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/mcp-connection.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58085, "scanner": "repobility-threat-engine", "fingerprint": "4f1b2892f52271fb2b907caea723519ac493f2de25c325a553cad416f42140b9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/ensure-provenance-fields.mjs"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58084, "scanner": "repobility-threat-engine", "fingerprint": "15364257e6c6fd9145b69835d41cbd00195570231a35c48134a4eb78946ab2c4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/detect-new-packages.mjs"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58083, "scanner": "repobility-threat-engine", "fingerprint": "0b5af0860cc5c9f8450a246d84219cb89d06de65f53d19da141041b402ccc329", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|182|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bump-versions.mjs"}, "region": {"startLine": 182}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 58298, "scanner": "repobility-web-presence", "fingerprint": "0a9bfcda78779c132ef3f2d6af8c2e60abbbced5acdea40bce89ec75be9bdfc5", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|0a9bfcda78779c132ef3f2d6af8c2e60abbbced5acdea40bce89ec75be9bdfc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58276, "scanner": "repobility-docker", "fingerprint": "06283d58f22a59c1e050c8517475eb2f4fa6025c96cb101a14c4c33cf0865715", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|06283d58f22a59c1e050c8517475eb2f4fa6025c96cb101a14c4c33cf0865715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58272, "scanner": "repobility-docker", "fingerprint": "48c9828e23380e49ff5a23293ddc9ed344fd5b2912f12a8d2445aca61d1fcd8b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|48c9828e23380e49ff5a23293ddc9ed344fd5b2912f12a8d2445aca61d1fcd8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58271, "scanner": "repobility-docker", "fingerprint": "e7c0af06ba86c3d2731266fecf3c0468981d038ed686cc4ca593321510cccc61", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e7c0af06ba86c3d2731266fecf3c0468981d038ed686cc4ca593321510cccc61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58269, "scanner": "repobility-docker", "fingerprint": "3bf4ee0ccd5d6ee9c373405ba9fdbf2d3c5e406353c4bf9c4f387e3671f6b2cf", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3bf4ee0ccd5d6ee9c373405ba9fdbf2d3c5e406353c4bf9c4f387e3671f6b2cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58251, "scanner": "repobility-docker", "fingerprint": "db38f36e27c0846cea86943dfd25dc2e06e6dfe03eaca9b3e087f57cbcb865e1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|db38f36e27c0846cea86943dfd25dc2e06e6dfe03eaca9b3e087f57cbcb865e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58250, "scanner": "repobility-docker", "fingerprint": "ceed34880292a2776ba439886d0779b9b1e666853b643f504d82ae03507c720c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ceed34880292a2776ba439886d0779b9b1e666853b643f504d82ae03507c720c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58233, "scanner": "repobility-docker", "fingerprint": "2886ec1b31948bf135c39e5aa4729c9464847ef22f1fb1a23e537ec9e04aeef1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2886ec1b31948bf135c39e5aa4729c9464847ef22f1fb1a23e537ec9e04aeef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58232, "scanner": "repobility-docker", "fingerprint": "f70c0c9633c362bcff30ce47a23f5e47536e74e2eeb0bf404539d34c83b210d8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f70c0c9633c362bcff30ce47a23f5e47536e74e2eeb0bf404539d34c83b210d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58228, "scanner": "repobility-docker", "fingerprint": "6eecd11cc13d94c88028a8b983f9b3544f7275c6d7001753d843d405a4883935", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6eecd11cc13d94c88028a8b983f9b3544f7275c6d7001753d843d405a4883935"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58222, "scanner": "repobility-docker", "fingerprint": "39bc4b2d11de19acb63da140e59413a40a6d41a55a23ffdf7341713d459c9cb9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39bc4b2d11de19acb63da140e59413a40a6d41a55a23ffdf7341713d459c9cb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58221, "scanner": "repobility-docker", "fingerprint": "7880cc98173c98565c7de9708fa9fb8173b4dad7798bdc41fd9014e476c61e77", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mockapi", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7880cc98173c98565c7de9708fa9fb8173b4dad7798bdc41fd9014e476c61e77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58216, "scanner": "repobility-docker", "fingerprint": "98e809ba88374fe43333526f71ee4bc676c820dad4ce0785e08d74c51f15ff88", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|98e809ba88374fe43333526f71ee4bc676c820dad4ce0785e08d74c51f15ff88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58214, "scanner": "repobility-docker", "fingerprint": "5f16a8b5c56b4eb1141cd252932359641268e30d643c941e80032f72ae11a536", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5f16a8b5c56b4eb1141cd252932359641268e30d643c941e80032f72ae11a536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58210, "scanner": "repobility-docker", "fingerprint": "bb5629351b9996dc9917b27eca6fcb4f31f3bc7cff98b638b7ca8247f5c8e31d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bb5629351b9996dc9917b27eca6fcb4f31f3bc7cff98b638b7ca8247f5c8e31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58209, "scanner": "repobility-docker", "fingerprint": "a80c3583afb11d321c09d7dbec75c65e24340f546c65861ae9fe962ca53a42bb", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a80c3583afb11d321c09d7dbec75c65e24340f546c65861ae9fe962ca53a42bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 58208, "scanner": "repobility-docker", "fingerprint": "a839db2b9ffb24948b2c0306c084159a2c39e4adfffc42bf92c0f230104b8344", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a839db2b9ffb24948b2c0306c084159a2c39e4adfffc42bf92c0f230104b8344"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 58205, "scanner": "repobility-docker", "fingerprint": "a1ab339f44f4630e1012679093df1674c0569e151d72f651b117fb5b861cc40c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a1ab339f44f4630e1012679093df1674c0569e151d72f651b117fb5b861cc40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 58200, "scanner": "repobility-docker", "fingerprint": "b68ecaa9d01d1997b112e43811bcd75ca4d5d3d7f62b2a96ad7eb025543666e7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b68ecaa9d01d1997b112e43811bcd75ca4d5d3d7f62b2a96ad7eb025543666e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 58194, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58191, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f2931388d5a5b07f88fc9d6f71d723c1e82e2eabe6fb7c5f51859ff8748ac9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/tools/get-resource-locator-options.tool.ts", "duplicate_line": 85, "correlation_key": "fp|7f2931388d5a5b07f88fc9d6f71d723c1e82e2eabe6fb7c5f51859ff8748ac9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/update-node-parameters.tool.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58190, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2425ad64e0a0d2f0901facd9e85cab147f8ddbe2ef489842ca84c88e797e76a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/tools/connect-nodes.tool.ts", "duplicate_line": 228, "correlation_key": "fp|e2425ad64e0a0d2f0901facd9e85cab147f8ddbe2ef489842ca84c88e797e76a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/rename-node.tool.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58189, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bbb146ecc2a341d01c126b6f7b24d802dd4aeb7ce0c4f6334d5693beb72e294", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/tools/add-node.tool.ts", "duplicate_line": 181, "correlation_key": "fp|4bbb146ecc2a341d01c126b6f7b24d802dd4aeb7ce0c4f6334d5693beb72e294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/remove-node.tool.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58188, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bba24a08eb6d2b3c5dfc0b93894a63582f657a7c59fff602bb4520bdaa9f9469", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/tools/connect-nodes.tool.ts", "duplicate_line": 228, "correlation_key": "fp|bba24a08eb6d2b3c5dfc0b93894a63582f657a7c59fff602bb4520bdaa9f9469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/remove-connection.tool.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "befcd8147d94ac8763e1d365d1834c957239ae916140730c88ead9205be7aea9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/tools/add-node.tool.ts", "duplicate_line": 181, "correlation_key": "fp|befcd8147d94ac8763e1d365d1834c957239ae916140730c88ead9205be7aea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/node-details.tool.ts"}, "region": {"startLine": 234}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9646a9e44ce6d08913be6be1fd90de9bf49613538915c207a75ac166a9b20c2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-utilities/src/node-catalog/search-engine.ts", "duplicate_line": 48, "correlation_key": "fp|9646a9e44ce6d08913be6be1fd90de9bf49613538915c207a75ac166a9b20c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/engines/node-search-engine.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7278eefbe66b4f0facc15eefac67de22385557fa86cbbaaf329f16c3d7d2878e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/parent-graph-state.ts", "duplicate_line": 58, "correlation_key": "fp|7278eefbe66b4f0facc15eefac67de22385557fa86cbbaaf329f16c3d7d2878e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/subgraphs/discovery.subgraph.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26be5b0b8fdd08f4477d58b63aa31d47632962b4798d215209434feea93b5388", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-utilities/src/node-catalog/types.ts", "duplicate_line": 2, "correlation_key": "fp|26be5b0b8fdd08f4477d58b63aa31d47632962b4798d215209434feea93b5388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/code-builder/types.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b25dac29ba322c647683e0ebdbea6a7e230b5db350dc034e4eb259eadf616ff4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-workflow-builder.ee/src/code-builder/handlers/text-editor-tool-handler.ts", "duplicate_line": 183, "correlation_key": "fp|b25dac29ba322c647683e0ebdbea6a7e230b5db350dc034e4eb259eadf616ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/code-builder/handlers/validate-tool-handler.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15afea89c22304e5adb2201001fd56d1500a71017d26be7eafe52bb4c23302b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/ai-utilities/src/utils/vector-store/createVectorStoreNode/operations/loadOperation.ts", "duplicate_line": 10, "correlation_key": "fp|15afea89c22304e5adb2201001fd56d1500a71017d26be7eafe52bb4c23302b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/utils/vector-store/createVectorStoreNode/operations/retrieveAsToolExecuteOperation.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1920bcc0c770993299dc8cf00d7684deb8b553dcb47e1d400290e496d957e9f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/agents/src/types/sdk/message.ts", "duplicate_line": 15, "correlation_key": "fp|1920bcc0c770993299dc8cf00d7684deb8b553dcb47e1d400290e496d957e9f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/types/message.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58180, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e1c99ccf679ec6e70e1edd8b1b883df431cc29d4f77e17d529453d29d4b09f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/agents/src/workspace/tools/batch-str-replace-file.ts", "duplicate_line": 58, "correlation_key": "fp|9e1c99ccf679ec6e70e1edd8b1b883df431cc29d4f77e17d529453d29d4b09f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/workspace/tools/str-replace-file.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58179, "scanner": "repobility-ai-code-hygiene", "fingerprint": "456a397fc2216a6df6c2e00b7100fbc24bb257aa67ae55a1950531eb377f4aab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/agents/src/index.ts", "duplicate_line": 334, "correlation_key": "fp|456a397fc2216a6df6c2e00b7100fbc24bb257aa67ae55a1950531eb377f4aab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/workspace/index.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58178, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c7dd197c7bb2e947485cc16176040303043ad1ec866c80ee54c185ec00e517d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/@n8n/agents/src/index.ts", "duplicate_line": 37, "correlation_key": "fp|0c7dd197c7bb2e947485cc16176040303043ad1ec866c80ee54c185ec00e517d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/types/index.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=1, except=3, if=3."}, "properties": {"repobilityId": 58147, "scanner": "repobility-threat-engine", "fingerprint": "77d0b7437b5df9c3eaaf8e50cf8f1c4b6492b4d69726e092df934df1525b1d23", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "elif": 2, "else": 1, "except": 3}, "complexity": 9, "correlation_key": "fp|77d0b7437b5df9c3eaaf8e50cf8f1c4b6492b4d69726e092df934df1525b1d23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `benchmark` image is selected through a build variable"}, "properties": {"repobilityId": 58279, "scanner": "repobility-docker", "fingerprint": "cdbad2fbe76e2af85f2e6fcd114f2ae8b44942de118bfe7c4059152443ca5d18", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n-benchmark:${N8N_BENCHMARK_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cdbad2fbe76e2af85f2e6fcd114f2ae8b44942de118bfe7c4059152443ca5d18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `runners` image is selected through a build variable"}, "properties": {"repobilityId": 58277, "scanner": "repobility-docker", "fingerprint": "4ed19c220cded65e0b731acfd4e26e53f838bb070f76433456be613c3c7a53aa", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4ed19c220cded65e0b731acfd4e26e53f838bb070f76433456be613c3c7a53aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n` image is selected through a build variable"}, "properties": {"repobilityId": 58273, "scanner": "repobility-docker", "fingerprint": "df7646a892c8b2ebaa1a9e5eb9a7649a6250457fd1743577f561ab04a518c5ac", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|df7646a892c8b2ebaa1a9e5eb9a7649a6250457fd1743577f561ab04a518c5ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `benchmark` image is selected through a build variable"}, "properties": {"repobilityId": 58270, "scanner": "repobility-docker", "fingerprint": "6225f53b8c5aaf34c025a936e55b4d1e1c44145da4448c710c3df0e5f97f067f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n-benchmark:${N8N_BENCHMARK_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6225f53b8c5aaf34c025a936e55b4d1e1c44145da4448c710c3df0e5f97f067f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n` image is selected through a build variable"}, "properties": {"repobilityId": 58266, "scanner": "repobility-docker", "fingerprint": "5cf41b2982ca9f7b0641e3d1fbbdb2c942cc9c37a22b36785ba75d7f6bad8c77", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5cf41b2982ca9f7b0641e3d1fbbdb2c942cc9c37a22b36785ba75d7f6bad8c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker2_runners` image is selected through a build variable"}, "properties": {"repobilityId": 58264, "scanner": "repobility-docker", "fingerprint": "107170e56aad2667e669f68949ce196e733550d20ad4978a855099edf6539bf4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|107170e56aad2667e669f68949ce196e733550d20ad4978a855099edf6539bf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker2` image is selected through a build variable"}, "properties": {"repobilityId": 58261, "scanner": "repobility-docker", "fingerprint": "4d3d75879b20f14f0b8662a47480fbdd06162b776bff63c79d6e2a1cdefd4e41", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4d3d75879b20f14f0b8662a47480fbdd06162b776bff63c79d6e2a1cdefd4e41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker1_runners` image is selected through a build variable"}, "properties": {"repobilityId": 58259, "scanner": "repobility-docker", "fingerprint": "b9be07ed0c7dda7e1d181a121a6ef9d10756f18ca4a73e2e3b804dede874a722", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b9be07ed0c7dda7e1d181a121a6ef9d10756f18ca4a73e2e3b804dede874a722"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker1` image is selected through a build variable"}, "properties": {"repobilityId": 58256, "scanner": "repobility-docker", "fingerprint": "99b5ff477ad86e9b7501390169ed3719d1d52b3b3a4dd22eeab3d7cd2a5e3435", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|99b5ff477ad86e9b7501390169ed3719d1d52b3b3a4dd22eeab3d7cd2a5e3435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `benchmark` image is selected through a build variable"}, "properties": {"repobilityId": 58249, "scanner": "repobility-docker", "fingerprint": "9af16be40d05d7ec749d5c7da529047c3a31eda069311bef3ecd57552d75b861", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n-benchmark:${N8N_BENCHMARK_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9af16be40d05d7ec749d5c7da529047c3a31eda069311bef3ecd57552d75b861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_main1` image is selected through a build variable"}, "properties": {"repobilityId": 58247, "scanner": "repobility-docker", "fingerprint": "4236082b5d930683d4199b82adb415cac18b1ed92214c26db812a645f161c5c1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4236082b5d930683d4199b82adb415cac18b1ed92214c26db812a645f161c5c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 173}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_main2` image is selected through a build variable"}, "properties": {"repobilityId": 58245, "scanner": "repobility-docker", "fingerprint": "c68cdec6ea2a66745e037589bfc6f788c4cb952900bfb1781c14be57d2cc9016", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c68cdec6ea2a66745e037589bfc6f788c4cb952900bfb1781c14be57d2cc9016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker2_runners` image is selected through a build variable"}, "properties": {"repobilityId": 58243, "scanner": "repobility-docker", "fingerprint": "ae059e59da5b7ea67825b47077b941a1468d530cb0cdd034428cbc9f62ce9d24", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ae059e59da5b7ea67825b47077b941a1468d530cb0cdd034428cbc9f62ce9d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker2` image is selected through a build variable"}, "properties": {"repobilityId": 58241, "scanner": "repobility-docker", "fingerprint": "edf8d81d3a961fc8f55b8fec618831a3495d13597a60e4dd582ea8eac385d37e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|edf8d81d3a961fc8f55b8fec618831a3495d13597a60e4dd582ea8eac385d37e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker1_runners` image is selected through a build variable"}, "properties": {"repobilityId": 58239, "scanner": "repobility-docker", "fingerprint": "c1ad285ed2b8bbe73ddfdbb15f6cebbce8e24caf0175c17c0263f482d65b21ad", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c1ad285ed2b8bbe73ddfdbb15f6cebbce8e24caf0175c17c0263f482d65b21ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n_worker1` image is selected through a build variable"}, "properties": {"repobilityId": 58237, "scanner": "repobility-docker", "fingerprint": "86c817d0dca54c2a50344865df1b8ecfaae544c69f63d26973b87fdebdaba8ba", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|86c817d0dca54c2a50344865df1b8ecfaae544c69f63d26973b87fdebdaba8ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `benchmark` image is selected through a build variable"}, "properties": {"repobilityId": 58231, "scanner": "repobility-docker", "fingerprint": "23ad9a056c7a6453b62a78e5db53f0244b47db8113073196adb5cffd1413d851", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n-benchmark:${N8N_BENCHMARK_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|23ad9a056c7a6453b62a78e5db53f0244b47db8113073196adb5cffd1413d851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `runners` image is selected through a build variable"}, "properties": {"repobilityId": 58229, "scanner": "repobility-docker", "fingerprint": "9d8d5980eb89f305163226f410dd02e1abda4b6770db6c4a45b5d2c167ae15c1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/runners:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9d8d5980eb89f305163226f410dd02e1abda4b6770db6c4a45b5d2c167ae15c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `n8n` image is selected through a build variable"}, "properties": {"repobilityId": 58225, "scanner": "repobility-docker", "fingerprint": "0cc1593b47aea3b079ec91c03e177a81ff8fea22900cdacb3618e4fba3470eb5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/n8n-io/n8n:${N8N_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0cc1593b47aea3b079ec91c03e177a81ff8fea22900cdacb3618e4fba3470eb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58206, "scanner": "repobility-docker", "fingerprint": "aaa03d5f1194fe04f84f492f6dd0516750b045f19083db5ce9e56f31e79dd103", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-bookworm-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|aaa03d5f1194fe04f84f492f6dd0516750b045f19083db5ce9e56f31e79dd103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58204, "scanner": "repobility-docker", "fingerprint": "3458b891cc087622e18eaa21b24d58fe4398f9ce7d7c8df88da1e761311e02bc", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_VERSION}-slim-bookworm", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3458b891cc087622e18eaa21b24d58fe4398f9ce7d7c8df88da1e761311e02bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58203, "scanner": "repobility-docker", "fingerprint": "1234347580a839fe5a17202267ef61a709d1f4a26b933c5d24aeacdada4d6326", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-bookworm-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1234347580a839fe5a17202267ef61a709d1f4a26b933c5d24aeacdada4d6326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58202, "scanner": "repobility-docker", "fingerprint": "73de8d3cc6f715dd74642d92973acd5c452cb62a7c6f4696ad442aaf07ee023d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|73de8d3cc6f715dd74642d92973acd5c452cb62a7c6f4696ad442aaf07ee023d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 110}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58201, "scanner": "repobility-docker", "fingerprint": "1780085a7e2989ac6d0767fec0d078c32141958831b22da66398438d6fc2ce29", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine3.22", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1780085a7e2989ac6d0767fec0d078c32141958831b22da66398438d6fc2ce29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 105}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58199, "scanner": "repobility-docker", "fingerprint": "31cebe86dc10504539da72c9c8fe4c3cf71b444400a2dae2943fa4c7ba9d3397", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|31cebe86dc10504539da72c9c8fe4c3cf71b444400a2dae2943fa4c7ba9d3397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58198, "scanner": "repobility-docker", "fingerprint": "a1a998b8e7a6f565f56f0409c80afa80393a915c6bcdee1d0799a8567fc558df", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine3.22", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a1a998b8e7a6f565f56f0409c80afa80393a915c6bcdee1d0799a8567fc558df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58196, "scanner": "repobility-docker", "fingerprint": "18d337deae1e6883268f8b168406cdfd39b2a825449deb15bc4cd65d9ed8177d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "n8nio/base:${NODE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|18d337deae1e6883268f8b168406cdfd39b2a825449deb15bc4cd65d9ed8177d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/n8n/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58195, "scanner": "repobility-docker", "fingerprint": "ec3e3629f5b3cf8ab7970404b1a4cf4db4e64b2737c8d096e91102d6b170b3b1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine3.22", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ec3e3629f5b3cf8ab7970404b1a4cf4db4e64b2737c8d096e91102d6b170b3b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/engine/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58193, "scanner": "repobility-docker", "fingerprint": "76eda08a6c729601ce3398da3104dfbdac5a26d24bda21e5e98829c0a953d4bc", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|76eda08a6c729601ce3398da3104dfbdac5a26d24bda21e5e98829c0a953d4bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 58174, "scanner": "repobility-threat-engine", "fingerprint": "fdb2dfa6260563d7b61edfac18443f9436901783516c8715b570322f79ed1708", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdb2dfa6260563d7b61edfac18443f9436901783516c8715b570322f79ed1708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/mcp-apps/vite.config.mts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 58170, "scanner": "repobility-threat-engine", "fingerprint": "80c0ad7fce2fe6695b120f2180d6bd7c42a86fb749699b717b59bf5d65adc0d9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|80c0ad7fce2fe6695b120f2180d6bd7c42a86fb749699b717b59bf5d65adc0d9"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 58164, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58163, "scanner": "repobility-threat-engine", "fingerprint": "38c7e0e0a4bc00f09026cb629026fd8d092b571e83ff85395b46b7ea32de6cf6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38c7e0e0a4bc00f09026cb629026fd8d092b571e83ff85395b46b7ea32de6cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/engine/src/serve.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58162, "scanner": "repobility-threat-engine", "fingerprint": "6026ce42fab2170a2a7189d82687a2ce1fd1c14e3478de7d9ab89c0a782ae6fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6026ce42fab2170a2a7189d82687a2ce1fd1c14e3478de7d9ab89c0a782ae6fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/nginx.conf"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58161, "scanner": "repobility-threat-engine", "fingerprint": "0d9e44fe9b1b26b3b6572fc77170be51a4200ec8b0a22f97a423cca5797378e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d9e44fe9b1b26b3b6572fc77170be51a4200ec8b0a22f97a423cca5797378e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED019", "level": "none", "message": {"text": "[MINED019] Ssti Jinja From String (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 58158, "scanner": "repobility-threat-engine", "fingerprint": "987273f80fea3e6afe0fec3dbb4108ae850f53712a2636b515b0dcecb7f2f113", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|987273f80fea3e6afe0fec3dbb4108ae850f53712a2636b515b0dcecb7f2f113", "aggregated_count": 6}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 58154, "scanner": "repobility-threat-engine", "fingerprint": "fd8d08e6de1c2fe2dcff894b11bcb5044e86c9d8eb4a804b088501431e5639d9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd8d08e6de1c2fe2dcff894b11bcb5044e86c9d8eb4a804b088501431e5639d9", "aggregated_count": 9}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 58153, "scanner": "repobility-threat-engine", "fingerprint": "8327ce3a5099ad254a32787e6a168a690581ff695216a7a95a90dc368f6d8cac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8327ce3a5099ad254a32787e6a168a690581ff695216a7a95a90dc368f6d8cac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/prompts/chains/parameter-updater/examples/simple-updates.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 58152, "scanner": "repobility-threat-engine", "fingerprint": "15d5472272ad0757957daab8b8eb6850bced0cc8d7d3652222b537f7092b0e29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15d5472272ad0757957daab8b8eb6850bced0cc8d7d3652222b537f7092b0e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/prompts/agents/supervisor.prompt.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 58151, "scanner": "repobility-threat-engine", "fingerprint": "1c55aa9fb37c8675e686b4343e562a92e6ea512706860e93d12fead7486243f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c55aa9fb37c8675e686b4343e562a92e6ea512706860e93d12fead7486243f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/chains/parameter-updater.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 58148, "scanner": "repobility-threat-engine", "fingerprint": "374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "format_output_summary", "breakdown": {"if": 5, "for": 1, "elif": 1, "else": 3, "nested_bonus": 7}, "aggregated": true, "complexity": 17, "correlation_key": "fp|374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "aggregated_count": 2}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 58142, "scanner": "repobility-threat-engine", "fingerprint": "6ba20ec60c73fee46aeab63adf2e5acfb982aae144ea697e7fbc859c86f10b5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ba20ec60c73fee46aeab63adf2e5acfb982aae144ea697e7fbc859c86f10b5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/evaluators/llm-judge/workflow-evaluator.ts"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 58141, "scanner": "repobility-threat-engine", "fingerprint": "5da30219d5587b603828c2620444e139b089a3522fe8ad878bc1e076181451f1", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5da30219d5587b603828c2620444e139b089a3522fe8ad878bc1e076181451f1"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 58137, "scanner": "repobility-threat-engine", "fingerprint": "35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "aggregated_count": 10}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58136, "scanner": "repobility-threat-engine", "fingerprint": "56ebba7da93629109656a18ae85de530ddd34e54bd028705629e3fc92bfe2da9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56ebba7da93629109656a18ae85de530ddd34e54bd028705629e3fc92bfe2da9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/utils/failed-attempt-handler/n8nLlmFailedAttemptHandler.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58135, "scanner": "repobility-threat-engine", "fingerprint": "23e4e39a3a35eae1bf9a7c50c7fa5c33a3a4716bce30f831f440f09f9c440c19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23e4e39a3a35eae1bf9a7c50c7fa5c33a3a4716bce30f831f440f09f9c440c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/utils/failed-attempt-handler/n8nDefaultFailedAttemptHandler.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58134, "scanner": "repobility-threat-engine", "fingerprint": "4e04e7c019fe738c0cd7fb88df84a22bd22718f81f3470b479c306d223bef7eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e04e7c019fe738c0cd7fb88df84a22bd22718f81f3470b479c306d223bef7eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/types/message.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 58133, "scanner": "repobility-threat-engine", "fingerprint": "769c18fadda3776f4c38242101c83cdc970a936cb8fb23d80e2d64c6a29f9cf6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|769c18fadda3776f4c38242101c83cdc970a936cb8fb23d80e2d64c6a29f9cf6", "aggregated_count": 5}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58132, "scanner": "repobility-threat-engine", "fingerprint": "3b5708c83b232f37f17bbad03c594b37502bf5d5c2cf37a1033efa068b231e74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b5708c83b232f37f17bbad03c594b37502bf5d5c2cf37a1033efa068b231e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/expression-runtime/src/extensions/object-extensions.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58131, "scanner": "repobility-threat-engine", "fingerprint": "33f5794b5f69a21fae7d92e50485c09e12509e1553b2512825112c8411a4b8a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33f5794b5f69a21fae7d92e50485c09e12509e1553b2512825112c8411a4b8a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/db/src/repositories/workflow-dependency.repository.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58130, "scanner": "repobility-threat-engine", "fingerprint": "a6853a5955c43eea6c9119b384e9232b8a68d70524599ab08ff0828955386f28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6853a5955c43eea6c9119b384e9232b8a68d70524599ab08ff0828955386f28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-utilities/src/adapters/langchain-chat-model.ts"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 58129, "scanner": "repobility-threat-engine", "fingerprint": "fce2ff5e05890616a7cd16edf195d7a6794337038a39c9f7c6ac3684ca845b1d", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fce2ff5e05890616a7cd16edf195d7a6794337038a39c9f7c6ac3684ca845b1d"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58128, "scanner": "repobility-threat-engine", "fingerprint": "8d4bcaf22a84cc53f7017b83290244f26ec3289b129183441c2f5a29a56f44a6", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|packages/ token|110|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/scoped-memory-task-runner.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58127, "scanner": "repobility-threat-engine", "fingerprint": "c4c09b3872e789f25a4d7ee1978997498a8e7d76b0199df72288c7842e5d490f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|packages/ token|68|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/run-state.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58126, "scanner": "repobility-threat-engine", "fingerprint": "5cf7d69147ed565cb05da4589d4a1474dc48666670a47fa3a0d6cf73242ef5a3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|packages/ token|58|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/message-list.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 58125, "scanner": "repobility-threat-engine", "fingerprint": "9cc98ec684a3e6bc47534b8969a978472a77e62faf58b476f27031bff834dc54", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9cc98ec684a3e6bc47534b8969a978472a77e62faf58b476f27031bff834dc54"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 58121, "scanner": "repobility-threat-engine", "fingerprint": "9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "aggregated_count": 47}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58120, "scanner": "repobility-threat-engine", "fingerprint": "15bb71af4978ff42a1d370c7025e094c4fe6b65add7cc4e110c608d8847469e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15bb71af4978ff42a1d370c7025e094c4fe6b65add7cc4e110c608d8847469e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/title-generation.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58119, "scanner": "repobility-threat-engine", "fingerprint": "c3c241f205687689f0526bc0e4d1529580b0be372d1c9e6f0bd6ecf612453be6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3c241f205687689f0526bc0e4d1529580b0be372d1c9e6f0bd6ecf612453be6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/message-list.ts"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58118, "scanner": "repobility-threat-engine", "fingerprint": "4ebea86f919e52bd68b91990af038e91aa469d3fc3b48b524dac7f0ec9f6a93a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ebea86f919e52bd68b91990af038e91aa469d3fc3b48b524dac7f0ec9f6a93a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/deferred-tool-manager.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 58117, "scanner": "repobility-threat-engine", "fingerprint": "b7270a60e427ef80f66e518ce8f7d3b7a214324c6b92e160fd988cfa6c32d331", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7270a60e427ef80f66e518ce8f7d3b7a214324c6b92e160fd988cfa6c32d331"}}}, {"ruleId": "MINED024", "level": "none", "message": {"text": "[MINED024] Js Eval Usage (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 58113, "scanner": "repobility-threat-engine", "fingerprint": "49ceb69c33b96079c29466855fdb656ebf27ca23529796129430be6596e633c3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|49ceb69c33b96079c29466855fdb656ebf27ca23529796129430be6596e633c3", "aggregated_count": 6}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 58106, "scanner": "repobility-threat-engine", "fingerprint": "09a29f6fb06578b561d63ae2dd291a76dfe5468697d8e07ddfb477e23b1df4cf", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|09a29f6fb06578b561d63ae2dd291a76dfe5468697d8e07ddfb477e23b1df4cf"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 58102, "scanner": "repobility-threat-engine", "fingerprint": "edb2a9d9a98e363aa8c2f7f14fd7bce9de8bbc1c35f5a3c230b4a8d14e0198fd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|edb2a9d9a98e363aa8c2f7f14fd7bce9de8bbc1c35f5a3c230b4a8d14e0198fd"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 58098, "scanner": "repobility-threat-engine", "fingerprint": "2a66995403910da2502a79aaef8ddae5f99a399d669ebe007855c4a8f4867a5c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a66995403910da2502a79aaef8ddae5f99a399d669ebe007855c4a8f4867a5c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58097, "scanner": "repobility-threat-engine", "fingerprint": "1f65b3d8ef768582acec79cb52825fff7d9e18bd1a6cd7862e978d355b706d81", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.log('QA_METRICS_WEBHOOK_USER/PASSWORD not set, skipping.')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|6|console.log token not set skipping."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/send-metrics.mjs"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58096, "scanner": "repobility-threat-engine", "fingerprint": "5dab3cbc27cba9dddf64da8edd240f6dd52a7942d0a3c3be0f653a84b3154c21", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('GITHUB_TOKEN is required to post comments')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|10|console.error github_token is required to post comments"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/post-qa-metrics-comment.mjs"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58095, "scanner": "repobility-threat-engine", "fingerprint": "8876d9cd26bc9e0e3bb706198b93189a1ca0d3a170a1445eb781159d46daec02", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('GITHUB_TOKEN is required to post comments')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|5|console.error github_token is required to post comments"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/post-grind-comment.mjs"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 58094, "scanner": "repobility-threat-engine", "fingerprint": "6a18ab7a9e98c274da2376be7d4db90ac5c0793ef3977493da2ca34a4a66e837", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6a18ab7a9e98c274da2376be7d4db90ac5c0793ef3977493da2ca34a4a66e837", "aggregated_count": 5}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58093, "scanner": "repobility-threat-engine", "fingerprint": "fd144705e69538ccdd28c2ad01622bd2d307edc7d81afb1b83d1dfe47e623d38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd144705e69538ccdd28c2ad01622bd2d307edc7d81afb1b83d1dfe47e623d38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/examples/basic-agent.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58092, "scanner": "repobility-threat-engine", "fingerprint": "ae73225829eb60928dc6818d68af808278434777502eac1cd9a4a95090b161ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae73225829eb60928dc6818d68af808278434777502eac1cd9a4a95090b161ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/send-metrics.mjs"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58091, "scanner": "repobility-threat-engine", "fingerprint": "ff38365702269dbf99acdc7ea7002c52bea49df4a119e784c644cedef36bd2bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff38365702269dbf99acdc7ea7002c52bea49df4a119e784c644cedef36bd2bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/detect-new-packages.mjs"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 58090, "scanner": "repobility-threat-engine", "fingerprint": "c55f6ae66a121b711736ebf9d8db66b3827bb33d9793d3b2dce9949e5294a2a7", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c55f6ae66a121b711736ebf9d8db66b3827bb33d9793d3b2dce9949e5294a2a7"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 58086, "scanner": "repobility-threat-engine", "fingerprint": "3135b3ae83a831d18dc4de6ec254af37532aedd273e95636989078d478f5577a", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3135b3ae83a831d18dc4de6ec254af37532aedd273e95636989078d478f5577a"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 88 more): Same pattern found in 88 additional files. Review if needed."}, "properties": {"repobilityId": 58082, "scanner": "repobility-threat-engine", "fingerprint": "c1ef58e9c9e14409cc30cd97f340912f48512ba734a4b66edc71d8b99205bb5f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 88 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c1ef58e9c9e14409cc30cd97f340912f48512ba734a4b66edc71d8b99205bb5f", "aggregated_count": 88}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58081, "scanner": "repobility-threat-engine", "fingerprint": "6a63a35f37cb772510f21ee389a987b43f563150bc42b0db4a2bebef0d7ea091", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a63a35f37cb772510f21ee389a987b43f563150bc42b0db4a2bebef0d7ea091"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/claude-task/prepare-claude-prompt.mjs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58080, "scanner": "repobility-threat-engine", "fingerprint": "bf9e0a4312b4e9b44ca5008333550edf00260aa199ee72f73361249474ebee58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf9e0a4312b4e9b44ca5008333550edf00260aa199ee72f73361249474ebee58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bump-versions.mjs"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58079, "scanner": "repobility-threat-engine", "fingerprint": "a0f558cdfcda2b0795b0a8ed98b415bbe7f8e0aa1e3e6b825f69b6c1e86aac48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0f558cdfcda2b0795b0a8ed98b415bbe7f8e0aa1e3e6b825f69b6c1e86aac48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/ci-filter/ci-filter.mjs"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58384, "scanner": "repobility-supply-chain", "fingerprint": "c3e193cf5307f00dde2d41b6728224005c543913534964556ecddc5b6cb90533", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3e193cf5307f00dde2d41b6728224005c543913534964556ecddc5b6cb90533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-push.yml"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58383, "scanner": "repobility-supply-chain", "fingerprint": "a8a14c3458a7c63afb7e83ae8bbe2235f9beea834d9e2143331423fb4db55d99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8a14c3458a7c63afb7e83ae8bbe2235f9beea834d9e2143331423fb4db55d99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-push.yml"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58382, "scanner": "repobility-supply-chain", "fingerprint": "927f1c1edaada2fcf8b5a292b481e2ad0be3e0127429a0296d1297f9cb0d3ae7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|927f1c1edaada2fcf8b5a292b481e2ad0be3e0127429a0296d1297f9cb0d3ae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-push.yml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58375, "scanner": "repobility-supply-chain", "fingerprint": "904517e83bf751617a9f32e100e984cd0bda4f3b285f1a3de67cbd127af939c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|904517e83bf751617a9f32e100e984cd0bda4f3b285f1a3de67cbd127af939c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58374, "scanner": "repobility-supply-chain", "fingerprint": "9b58343ccca1c59205e604ca9fff2834679e330c92ca7ce6b020b6eb4a60fd87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b58343ccca1c59205e604ca9fff2834679e330c92ca7ce6b020b6eb4a60fd87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58373, "scanner": "repobility-supply-chain", "fingerprint": "5f165b87be9a8fcf2589a2e23c08d9354a450198c62aae76c77b37d833cf9238", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f165b87be9a8fcf2589a2e23c08d9354a450198c62aae76c77b37d833cf9238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58372, "scanner": "repobility-supply-chain", "fingerprint": "77f039f5a6f6990baa98d653f418036831a7543f0dd71bb35f29b90c9c6e77d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77f039f5a6f6990baa98d653f418036831a7543f0dd71bb35f29b90c9c6e77d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 58371, "scanner": "repobility-supply-chain", "fingerprint": "775494feed7530beaff9abfc59a015df224dffb05894f57a27649fe68bcedd92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|775494feed7530beaff9abfc59a015df224dffb05894f57a27649fe68bcedd92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/instance-ai/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.15.0` not pinned by digest: `FROM node:24.15.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58370, "scanner": "repobility-supply-chain", "fingerprint": "6ca92e981a70d79187a65904aa0b1c62c18066b95f52ceaa6194fc7169a5bd06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ca92e981a70d79187a65904aa0b1c62c18066b95f52ceaa6194fc7169a5bd06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58366, "scanner": "repobility-supply-chain", "fingerprint": "cdbf860fbe2461e0c90551b26d704eee555c683755285142d072b969dcf6e96b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdbf860fbe2461e0c90551b26d704eee555c683755285142d072b969dcf6e96b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/testing/containers/dockerfiles/kent/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `wa-sqlite` pulled from URL/Git: `dependencies.wa-sqlite` = `github:rhashimoto/wa-sqlite#779219540f66cecaa159da32b3b8936697ba10a7` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 58365, "scanner": "repobility-supply-chain", "fingerprint": "bd71952dfdbea2072d3e45e7b1d6970c7bfbbc200daa666f6943c6f20fe77433", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd71952dfdbea2072d3e45e7b1d6970c7bfbbc200daa666f6943c6f20fe77433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/editor-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 58364, "scanner": "repobility-supply-chain", "fingerprint": "506ca261389f005378331f9b0243be90f0bd1d0622cf691a78510d50ea50ceac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|506ca261389f005378331f9b0243be90f0bd1d0622cf691a78510d50ea50ceac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nodes-base/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `n8nio/base (no tag)` not pinned by digest: `FROM n8nio/base (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58363, "scanner": "repobility-supply-chain", "fingerprint": "b756e8ab1c1e11592da7ab0a4a03907a156bc90b687ca4561c97485ee6c73874", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b756e8ab1c1e11592da7ab0a4a03907a156bc90b687ca4561c97485ee6c73874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/n8n/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.22` not pinned by digest: `FROM alpine:3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58362, "scanner": "repobility-supply-chain", "fingerprint": "a2f9497c3369c4a78653984a7c92f0263ca92f19c696cce2c0622275a5d35960", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2f9497c3369c4a78653984a7c92f0263ca92f19c696cce2c0622275a5d35960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/cc-debian12:latest` not pinned by digest: `FROM gcr.io/distroless/cc-debian12:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58361, "scanner": "repobility-supply-chain", "fingerprint": "a95b75300d63c5a9b514b180831f3272052d18e79b06cc050706bc33e4b734b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a95b75300d63c5a9b514b180831f3272052d18e79b06cc050706bc33e4b734b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58360, "scanner": "repobility-supply-chain", "fingerprint": "bf2d6b874f67abec82da60a5dbdb6067127c013f09e2e53e9f496e2f738be900", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf2d6b874f67abec82da60a5dbdb6067127c013f09e2e53e9f496e2f738be900"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58359, "scanner": "repobility-supply-chain", "fingerprint": "26cb6784d6df4c5df767b620c47299275861c784c4a36d3ed729650655c7eb43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26cb6784d6df4c5df767b620c47299275861c784c4a36d3ed729650655c7eb43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/runners/Dockerfile.distroless"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_format_method_in_call_chain_allowed: Test function `test_format_method_in_call_chain_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58352, "scanner": "repobility-ast-engine", "fingerprint": "e3f0fba64a0133265f0b08a11af72f2eba4580e3bd24cc4fc0f681095a6edd5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3f0fba64a0133265f0b08a11af72f2eba4580e3bd24cc4fc0f681095a6edd5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_format_call_form_allowed: Test function `test_format_call_form_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58351, "scanner": "repobility-ast-engine", "fingerprint": "bcb40d4ea39676ab7f65151336ce1758128724cf00d4275410435d3cfac36e15", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bcb40d4ea39676ab7f65151336ce1758128724cf00d4275410435d3cfac36e15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 292}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_nested_format_spec_without_blocked_attributes_allowed: Test function `test_nested_format_spec_without_blocked_attributes_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58350, "scanner": "repobility-ast-engine", "fingerprint": "ceabb0199fa9897a80e1b4efcbfdb07fe825afc71360afaeef207a847c7e57ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ceabb0199fa9897a80e1b4efcbfdb07fe825afc71360afaeef207a847c7e57ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_escaped_braces_allowed: Test function `test_escaped_braces_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58349, "scanner": "repobility-ast-engine", "fingerprint": "a2c8d1af8b65c3749dd68621f769ae4b7f253907628ef07ebfb183ce20a1924b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2c8d1af8b65c3749dd68621f769ae4b7f253907628ef07ebfb183ce20a1924b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_safe_format_strings_allowed: Test function `test_safe_format_strings_allowed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58348, "scanner": "repobility-ast-engine", "fingerprint": "121c0181d58d4a5f19c20099c2dfcef662c54f7e76671c5a95ea4a7779bb7c01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|121c0181d58d4a5f19c20099c2dfcef662c54f7e76671c5a95ea4a7779bb7c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_allowed_modules_via_dynamic_import: Test function `test_allowed_modules_via_dynamic_import` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58347, "scanner": "repobility-ast-engine", "fingerprint": "877cdb74d5a3063acb43ccbc17f33ef5d817cc480223e5ba4c985b4965248d2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|877cdb74d5a3063acb43ccbc17f33ef5d817cc480223e5ba4c985b4965248d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_various_dynamic_import_patterns: Test function `test_various_dynamic_import_patterns` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58346, "scanner": "repobility-ast-engine", "fingerprint": "c65c425fef7fd908f5eb7bf4e28ece7212b362234b721e902a66405cba7e8706", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c65c425fef7fd908f5eb7bf4e28ece7212b362234b721e902a66405cba7e8706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_allowed_attribute_access: Test function `test_allowed_attribute_access` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58345, "scanner": "repobility-ast-engine", "fingerprint": "22b17d2d4ec8e2705f318bda9414f65ab1bdfa89c05f866b75967ff04ff40e8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22b17d2d4ec8e2705f318bda9414f65ab1bdfa89c05f866b75967ff04ff40e8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocked_relative_imports: Test function `test_blocked_relative_imports` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58344, "scanner": "repobility-ast-engine", "fingerprint": "be19b06bd6a4bf2ae63b2f0372a85f38ec939e48d564c0af3f4e031ece5ce53c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be19b06bd6a4bf2ae63b2f0372a85f38ec939e48d564c0af3f4e031ece5ce53c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocked_dangerous_imports: Test function `test_blocked_dangerous_imports` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58343, "scanner": "repobility-ast-engine", "fingerprint": "0ff0bd3fcf79285f00079071d4e49f4880bb8cb6c4fd10cb3356cefb6090e321", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ff0bd3fcf79285f00079071d4e49f4880bb8cb6c4fd10cb3356cefb6090e321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_allowed_standard_imports: Test function `test_allowed_standard_imports` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58342, "scanner": "repobility-ast-engine", "fingerprint": "13e5763dcc050c81214b5a6eee5cc585beff4693e3374201dbe9518b72aef073", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13e5763dcc050c81214b5a6eee5cc585beff4693e3374201dbe9518b72aef073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compiled_code_rejects_dynamic_blocked_template: Test function `test_compiled_code_rejects_dynamic_blocked_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58341, "scanner": "repobility-ast-engine", "fingerprint": "32925f243dd6ddd9bdb2fa0f6784312d34e1d29f94b0bd224cbfd7e16b17bbab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32925f243dd6ddd9bdb2fa0f6784312d34e1d29f94b0bd224cbfd7e16b17bbab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 518}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_str_class_unbound_form_rejected: Test function `test_str_class_unbound_form_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58340, "scanner": "repobility-ast-engine", "fingerprint": "073a104c16cfd58598917e0b50feab9365785eeff01b9bc6566f93006606808d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|073a104c16cfd58598917e0b50feab9365785eeff01b9bc6566f93006606808d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_str_class_unbound_method_form: Test function `test_str_class_unbound_method_form` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58339, "scanner": "repobility-ast-engine", "fingerprint": "7733bc442d7c3f2b68a8ca35f59c1f421334e82eb5e062c786de9d43a8ee8a8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7733bc442d7c3f2b68a8ca35f59c1f421334e82eb5e062c786de9d43a8ee8a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_nested_format_spec_blocked_subscript_template: Test function `test_nested_format_spec_blocked_subscript_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58338, "scanner": "repobility-ast-engine", "fingerprint": "a5dc8c548d089afd971550eb23aa9ecd84750b509294b800f5380cfbdc31cfff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5dc8c548d089afd971550eb23aa9ecd84750b509294b800f5380cfbdc31cfff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_nested_format_spec_blocked_template: Test function `test_nested_format_spec_blocked_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58337, "scanner": "repobility-ast-engine", "fingerprint": "2f8a24285bc498f468cf475696282881b1598539c8418226f80c05b58f55da32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f8a24285bc498f468cf475696282881b1598539c8418226f80c05b58f55da32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_format_map_blocked_template: Test function `test_format_map_blocked_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58336, "scanner": "repobility-ast-engine", "fingerprint": "1f715d1ead089a5c7ed84757f1f5db3b8ce773f5291b3710d9e224e28a1f8caf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f715d1ead089a5c7ed84757f1f5db3b8ce773f5291b3710d9e224e28a1f8caf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_str_receiver_blocked_template: Test function `test_str_receiver_blocked_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58335, "scanner": "repobility-ast-engine", "fingerprint": "cc55a27b37ab1250fe9e467646dba7bf7562c416d5d23e0dc443f5561a112c89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc55a27b37ab1250fe9e467646dba7bf7562c416d5d23e0dc443f5561a112c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_safe_templates_pass: Test function `test_safe_templates_pass` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58334, "scanner": "repobility-ast-engine", "fingerprint": "1346f49287df64d5096614329cde149602df841ef1d0ce02fa48ddaca3f419f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1346f49287df64d5096614329cde149602df841ef1d0ce02fa48ddaca3f419f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_mutation: Test function `test_rejects_mutation` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58333, "scanner": "repobility-ast-engine", "fingerprint": "14211fb48be5e66fe1a8abdb26486d0aecf4d295919b5df41a27002a54d864e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14211fb48be5e66fe1a8abdb26486d0aecf4d295919b5df41a27002a54d864e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_write_bytes_write_failure: Test function `test_write_bytes_write_failure` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58332, "scanner": "repobility-ast-engine", "fingerprint": "5560e4fc751ec861a6662445d00a2a9b3968e990a1ddfa3ca11007b4951fd418", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5560e4fc751ec861a6662445d00a2a9b3968e990a1ddfa3ca11007b4951fd418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_exact_bytes_eof_error: Test function `test_read_exact_bytes_eof_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58331, "scanner": "repobility-ast-engine", "fingerprint": "812f692f64bf8d4b5254547e364588bf7d08c1393117efce2dd1663347688bb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|812f692f64bf8d4b5254547e364588bf7d08c1393117efce2dd1663347688bb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_zero_exit_code_with_empty_pipe_raises_task_result_read_error: Test function `test_zero_exit_code_with_empty_pipe_raises_task_result_read_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58330, "scanner": "repobility-ast-engine", "fingerprint": "68060b8a13f880a38ce765646ef8b81cc395cca8c165166a2b1087f9b9bbe0c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68060b8a13f880a38ce765646ef8b81cc395cca8c165166a2b1087f9b9bbe0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sigkill_raises_task_killed_error: Test function `test_sigkill_raises_task_killed_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58329, "scanner": "repobility-ast-engine", "fingerprint": "2c9957ae065e28cdae4f20b216a47c7a0b84a278c3decb7a1c3cc6095727adc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c9957ae065e28cdae4f20b216a47c7a0b84a278c3decb7a1c3cc6095727adc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sigterm_raises_task_cancelled_error: Test function `test_sigterm_raises_task_cancelled_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 58328, "scanner": "repobility-ast-engine", "fingerprint": "a49acbdb973ced285861cabb438f3ff11ae54bd84b9a662f4759d8bc34f7282a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a49acbdb973ced285861cabb438f3ff11ae54bd84b9a662f4759d8bc34f7282a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/tests/unit/test_task_executor.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58323, "scanner": "repobility-ast-engine", "fingerprint": "aaac76165b23e7ccf6e0e7d4961d3735e8d08e0b45cda613edbe083967df0144", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aaac76165b23e7ccf6e0e7d4961d3735e8d08e0b45cda613edbe083967df0144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58322, "scanner": "repobility-ast-engine", "fingerprint": "117f611145095957b7cbd4b27a3b173a0bcb61ab634881645acbd96284642ba9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|117f611145095957b7cbd4b27a3b173a0bcb61ab634881645acbd96284642ba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_format_string` used but never assigned in __init__: Method `visit_Constant` of class `SecurityValidator` reads `self._check_format_string`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58321, "scanner": "repobility-ast-engine", "fingerprint": "1a9f63c1d29368ace6d753a0fb03cbf8535a1103b4c737f1ada975708f75c60a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a9f63c1d29368ace6d753a0fb03cbf8535a1103b4c737f1ada975708f75c60a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Constant` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58320, "scanner": "repobility-ast-engine", "fingerprint": "552050581df3c72cfa6cf4c8b3808d59334910b234bf398bfecb4c0d3714d76c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|552050581df3c72cfa6cf4c8b3808d59334910b234bf398bfecb4c0d3714d76c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Subscript` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58319, "scanner": "repobility-ast-engine", "fingerprint": "666082186bf28426265f98253b47b9178912b3308ea1de9e9bc64be19580823b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|666082186bf28426265f98253b47b9178912b3308ea1de9e9bc64be19580823b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Subscript` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58318, "scanner": "repobility-ast-engine", "fingerprint": "07eaba4ed409e52a2086629113437f740d0a3d82c395dde2eadfb4581f6ff3c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07eaba4ed409e52a2086629113437f740d0a3d82c395dde2eadfb4581f6ff3c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58317, "scanner": "repobility-ast-engine", "fingerprint": "ca9f5c6d4100c7cc451852887a4687da137dc4f7355e44c6eabbe06fc7e06f79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca9f5c6d4100c7cc451852887a4687da137dc4f7355e44c6eabbe06fc7e06f79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58316, "scanner": "repobility-ast-engine", "fingerprint": "bf982ed3f1bca5416ba43301b3f151f70dcecd177ed782420205391a32d3dedd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf982ed3f1bca5416ba43301b3f151f70dcecd177ed782420205391a32d3dedd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58315, "scanner": "repobility-ast-engine", "fingerprint": "4f2e011a10d143039f3b001536f4d584d4a581ccd7b8089c1463e6034934878b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f2e011a10d143039f3b001536f4d584d4a581ccd7b8089c1463e6034934878b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58314, "scanner": "repobility-ast-engine", "fingerprint": "13ec275e678e3190ede797c775dd921f06a3babf68fa77bf372b59cfbcdfc45a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13ec275e678e3190ede797c775dd921f06a3babf68fa77bf372b59cfbcdfc45a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58313, "scanner": "repobility-ast-engine", "fingerprint": "069bf685522c2a70d5e11d0d6d16c71f9bf9ca5662707d1f4b1cc1e75898dd54", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|069bf685522c2a70d5e11d0d6d16c71f9bf9ca5662707d1f4b1cc1e75898dd54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58312, "scanner": "repobility-ast-engine", "fingerprint": "518fe9d3c5bdb37e1093fa095aeadb7511f36985ca7f0496cb84b77f212be5dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|518fe9d3c5bdb37e1093fa095aeadb7511f36985ca7f0496cb84b77f212be5dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58311, "scanner": "repobility-ast-engine", "fingerprint": "68ce0394b0cbfebd47de46214453f5f5feffb1f7f04acf726bfddf88abba55c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68ce0394b0cbfebd47de46214453f5f5feffb1f7f04acf726bfddf88abba55c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Name` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58310, "scanner": "repobility-ast-engine", "fingerprint": "3467a905ee88162685db5f336e9c3474b835ec60e2a8b70b6bf6a3e3a05c2715", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3467a905ee88162685db5f336e9c3474b835ec60e2a8b70b6bf6a3e3a05c2715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Name` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58309, "scanner": "repobility-ast-engine", "fingerprint": "7544e8524e60f801d3d83281b18c6adc9173c47a0470d2f38614e6f9aeb9a562", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7544e8524e60f801d3d83281b18c6adc9173c47a0470d2f38614e6f9aeb9a562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58308, "scanner": "repobility-ast-engine", "fingerprint": "8aaec5a9e9936becc08520867f02f3ec5420902dc9868e9a90e04e6cc25f6c2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aaec5a9e9936becc08520867f02f3ec5420902dc9868e9a90e04e6cc25f6c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58307, "scanner": "repobility-ast-engine", "fingerprint": "c7dd1d65a173ea81ee3e9835aa2ac724415fd7e50fc45d3ec478285822394f47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7dd1d65a173ea81ee3e9835aa2ac724415fd7e50fc45d3ec478285822394f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58306, "scanner": "repobility-ast-engine", "fingerprint": "9fda821c8a2db8ec03238eaa08cd062afa41654d6b7bdafd62d18af0fa4b3ef0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9fda821c8a2db8ec03238eaa08cd062afa41654d6b7bdafd62d18af0fa4b3ef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58305, "scanner": "repobility-ast-engine", "fingerprint": "79b1107635bf0525bbf07fb58b321a941dad5e447bc51d0f1023979f2bf55852", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79b1107635bf0525bbf07fb58b321a941dad5e447bc51d0f1023979f2bf55852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58304, "scanner": "repobility-ast-engine", "fingerprint": "c3f6c7a090a075558b8e6b364aaa4a93b40f65b47c06fe9b068a24e06eed9d17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3f6c7a090a075558b8e6b364aaa4a93b40f65b47c06fe9b068a24e06eed9d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58303, "scanner": "repobility-ast-engine", "fingerprint": "393239ad6bf03af111ea8d508e74c039a6031db72463101903dbe636684036bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|393239ad6bf03af111ea8d508e74c039a6031db72463101903dbe636684036bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58302, "scanner": "repobility-ast-engine", "fingerprint": "897476ce1a6cb01e50d12289e4edfe54415abf1b5ceb83cfb78135f5ae8e67a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|897476ce1a6cb01e50d12289e4edfe54415abf1b5ceb83cfb78135f5ae8e67a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58301, "scanner": "repobility-ast-engine", "fingerprint": "97efc2c0e9dd62247003770d0742a3287f20175cfad7c654493a1ca1f62b452c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97efc2c0e9dd62247003770d0742a3287f20175cfad7c654493a1ca1f62b452c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/task_analyzer.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_from_user_code` used but never assigned in __init__: Method `_filter_out_ignored_errors` of class `TaskRunnerSentry` reads `self._is_from_user_code`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58300, "scanner": "repobility-ast-engine", "fingerprint": "85c4ea1873c8cc808d25a431b11d5fb68e5403c85cbeb1593a0f05b576b0cf32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85c4ea1873c8cc808d25a431b11d5fb68e5403c85cbeb1593a0f05b576b0cf32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/sentry.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._filter_out_ignored_errors` used but never assigned in __init__: Method `init` of class `TaskRunnerSentry` reads `self._filter_out_ignored_errors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58299, "scanner": "repobility-ast-engine", "fingerprint": "f9bb8c7e727420438ce7e3eff30fb569e0703f5b73c38dff4edd680a9a795f25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9bb8c7e727420438ce7e3eff30fb569e0703f5b73c38dff4edd680a9a795f25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/task-runner-python/src/sentry.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 58297, "scanner": "repobility-journey-contract", "fingerprint": "a4c4f8e3420d20385ea76198651f1ec277f268a7acac857a8bfcfc4e8f545c56", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|221|jrn004", "backend_consent_model": true, "backend_audit_signal_count": 2}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/modules/external-secrets.ee/providers/infisical.ts"}, "region": {"startLine": 221}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58274, "scanner": "repobility-docker", "fingerprint": "2ae5f6a00daf23ce22cf6ba8c20fadc852365b5a566cf4dde8be138da6d172dc", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ae5f6a00daf23ce22cf6ba8c20fadc852365b5a566cf4dde8be138da6d172dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58267, "scanner": "repobility-docker", "fingerprint": "33f8de8f94510eb7aed13c6c1b6b6f97acc1f87b911ee1105c7701b627371d5f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|33f8de8f94510eb7aed13c6c1b6b6f97acc1f87b911ee1105c7701b627371d5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58262, "scanner": "repobility-docker", "fingerprint": "0253d13c79896e15aae06fde706c58dd90064e153e71dff3eb0d3c772199c29f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n_worker2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0253d13c79896e15aae06fde706c58dd90064e153e71dff3eb0d3c772199c29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58257, "scanner": "repobility-docker", "fingerprint": "5bd33b5931a639a8891a0b012f39b72337fae76d1157cc3d221663b771f1e522", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n_worker1", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5bd33b5931a639a8891a0b012f39b72337fae76d1157cc3d221663b771f1e522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58254, "scanner": "repobility-docker", "fingerprint": "218805cd03d811b9b4a3fe4e5867f557cb35c5a60268633fd5c716dd3e8670d7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|218805cd03d811b9b4a3fe4e5867f557cb35c5a60268633fd5c716dd3e8670d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 58252, "scanner": "repobility-docker", "fingerprint": "4f6b1ce4623e5d93adbe351dbbb95659b71d322acabb74b86621e553f13cf36d", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4f6b1ce4623e5d93adbe351dbbb95659b71d322acabb74b86621e553f13cf36d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 58234, "scanner": "repobility-docker", "fingerprint": "81b3be724aba862559faca107520a4c7720c5230d0b223168c62db2bf7cfa1dd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|81b3be724aba862559faca107520a4c7720c5230d0b223168c62db2bf7cfa1dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58226, "scanner": "repobility-docker", "fingerprint": "738b552bc58722ecd09e58d0b9f4aa89ef37f06a07102b6bb01e95edc67e1047", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "n8n", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|738b552bc58722ecd09e58d0b9f4aa89ef37f06a07102b6bb01e95edc67e1047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 58223, "scanner": "repobility-docker", "fingerprint": "ddfd7e875aaae88a63819bda6a414e4f07edd2bf1eb32e5201da5531f2f61ec7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ddfd7e875aaae88a63819bda6a414e4f07edd2bf1eb32e5201da5531f2f61ec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 58219, "scanner": "repobility-docker", "fingerprint": "753df3a7132f61e9dfa9074828378f59fe932c5e332ab9a54d6e6cfeee2bf8c3", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|753df3a7132f61e9dfa9074828378f59fe932c5e332ab9a54d6e6cfeee2bf8c3", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 58218, "scanner": "repobility-docker", "fingerprint": "5d6fb2213891603f0f9012062eed917d519466fe82e5786dae5efcb4f0a98a95", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|5d6fb2213891603f0f9012062eed917d519466fe82e5786dae5efcb4f0a98a95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 58175, "scanner": "repobility-threat-engine", "fingerprint": "9f8073e83534d858958fbce3209e9fd3447af28dfa0bb6dd9c1858c0de32f87a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f8073e83534d858958fbce3209e9fd3447af28dfa0bb6dd9c1858c0de32f87a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/mcp-browser/src/server.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 58172, "scanner": "repobility-threat-engine", "fingerprint": "ad97024294303f3e8b5a7966f71c13de7714da174ca1662eb2bebe1218d25e25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ad97024294303f3e8b5a7966f71c13de7714da174ca1662eb2bebe1218d25e25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/mcp-browser/src/redaction/patterns.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 58171, "scanner": "repobility-threat-engine", "fingerprint": "eb87d6365c832d02195d8c30bf721462aea6d6d5e6a2679c4a61854886e18ea4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb87d6365c832d02195d8c30bf721462aea6d6d5e6a2679c4a61854886e18ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/instance-ai/evaluations/computer-use/graders/security.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58169, "scanner": "repobility-threat-engine", "fingerprint": "6312e50d10d9ded586e8f434f24d138dc1540ff41238f45fa7f3520c0170a611", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(grader", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6312e50d10d9ded586e8f434f24d138dc1540ff41238f45fa7f3520c0170a611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/instance-ai/evaluations/computer-use/graders/trace.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58168, "scanner": "repobility-threat-engine", "fingerprint": "a698244eae91a96c28787682d347b0ff04864665780fa94e1b39a53b79330536", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a698244eae91a96c28787682d347b0ff04864665780fa94e1b39a53b79330536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/instance-ai/evaluations/computer-use/graders/fs.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58167, "scanner": "repobility-threat-engine", "fingerprint": "bed8447a677a49615e749a54083ec59d6e36a98a9dacdf4529621667fb27adb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bed8447a677a49615e749a54083ec59d6e36a98a9dacdf4529621667fb27adb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/computer-use/src/tools/filesystem/search-files.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 58166, "scanner": "repobility-threat-engine", "fingerprint": "20a4e364b67da45924d75b1459854f76948924a84e5f752cf97d94898e64917f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20a4e364b67da45924d75b1459854f76948924a84e5f752cf97d94898e64917f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/postgres.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 58165, "scanner": "repobility-threat-engine", "fingerprint": "07d0366c19ac848c0eb0927cea03abd3a8c5e63b2071eaff205969244e165bf2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07d0366c19ac848c0eb0927cea03abd3a8c5e63b2071eaff205969244e165bf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/client-oauth2/src/client-oauth2.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 58159, "scanner": "repobility-threat-engine", "fingerprint": "72e76b068163d6ebe3cf11c1a752813c57ca5232d724091252f949765e9c89e5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "safeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72e76b068163d6ebe3cf11c1a752813c57ca5232d724091252f949765e9c89e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/tools/introspect.tool.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 58150, "scanner": "repobility-threat-engine", "fingerprint": "09ccb9f304ac00dda7d5555ef02dc55f49ed694486ec5590924e2b29b5ee23c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09ccb9f304ac00dda7d5555ef02dc55f49ed694486ec5590924e2b29b5ee23c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/db/src/services/db-lock.service.ts"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 58149, "scanner": "repobility-threat-engine", "fingerprint": "89aea14dd76fea76344b5284c0d4a38c7d422f492ea5f04e230816e82f7d8026", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89aea14dd76fea76344b5284c0d4a38c7d422f492ea5f04e230816e82f7d8026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/assistant/assistant-handler.ts"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 58144, "scanner": "repobility-threat-engine", "fingerprint": "b14b8a88cb3960b157fd88e5137e8e17e315be2d4ebb955d2a33debb8cfc1f31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b14b8a88cb3960b157fd88e5137e8e17e315be2d4ebb955d2a33debb8cfc1f31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 58143, "scanner": "repobility-threat-engine", "fingerprint": "cda1769de8082337c0b40aea16a4b97e2b1d2fc6fdead5e3a7dbac9b5647385f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cda1769de8082337c0b40aea16a4b97e2b1d2fc6fdead5e3a7dbac9b5647385f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58116, "scanner": "repobility-threat-engine", "fingerprint": "0e1bd4588bb6577399e00031ef883ee4ca6db4cc53a280fe3feb2b00ddc1b8b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.queuesByScope.delete(scopeKey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e1bd4588bb6577399e00031ef883ee4ca6db4cc53a280fe3feb2b00ddc1b8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/scoped-memory-task-runner.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58115, "scanner": "repobility-threat-engine", "fingerprint": "7495b71c4f79d93d73fde0be841626fa47c352e42f96c0d961b57994ec61b70f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "seen.delete(value);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7495b71c4f79d93d73fde0be841626fa47c352e42f96c0d961b57994ec61b70f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/json-value.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58114, "scanner": "repobility-threat-engine", "fingerprint": "1f56fee743da9dc9b27f4775113621bc8a7e2d048452248c8705f95d505547ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.inFlight.delete(promise);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f56fee743da9dc9b27f4775113621bc8a7e2d048452248c8705f95d505547ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/background-task-tracker.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58105, "scanner": "repobility-threat-engine", "fingerprint": "224407006a8c8455a3aea283688bfb5ff4a9e7568c0b4483e823213d62a2b938", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|224407006a8c8455a3aea283688bfb5ff4a9e7568c0b4483e823213d62a2b938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/model-factory.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58104, "scanner": "repobility-threat-engine", "fingerprint": "18c77962543a4a7f9fb9a68e7d7f725eccd973d37d0cf944f55841ff01affe99", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18c77962543a4a7f9fb9a68e7d7f725eccd973d37d0cf944f55841ff01affe99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/mcp-connection.ts"}, "region": {"startLine": 213}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58103, "scanner": "repobility-threat-engine", "fingerprint": "c8787df0a8ac09d2f208997d9a8c5f7c5a20ca1448f21f232044d051de51d818", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8787df0a8ac09d2f208997d9a8c5f7c5a20ca1448f21f232044d051de51d818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/slack/notify.mjs"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58101, "scanner": "repobility-threat-engine", "fingerprint": "b53dafebe6370b61776d79e2dae17b9f932e08ad76413ce443f18e2c90eada95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b53dafebe6370b61776d79e2dae17b9f932e08ad76413ce443f18e2c90eada95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/title-generation.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58100, "scanner": "repobility-threat-engine", "fingerprint": "c266ca590533ccfc2d256672a23764739987140fa3c8418e90b4d449da0fd4e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(rawLine", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c266ca590533ccfc2d256672a23764739987140fa3c8418e90b4d449da0fd4e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/observation-log-observer.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58099, "scanner": "repobility-threat-engine", "fingerprint": "3a8b633122fa54606b21d853b82c2ed09235b8111bd0dcbbca1c366ba5272938", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a8b633122fa54606b21d853b82c2ed09235b8111bd0dcbbca1c366ba5272938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/retry.mjs"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58089, "scanner": "repobility-threat-engine", "fingerprint": "8fe7545a60a0a06d49c76e85eacdeb2871552a94ef2f9b26887034b1dc2089e3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${v ?? ''}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8fe7545a60a0a06d49c76e85eacdeb2871552a94ef2f9b26887034b1dc2089e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/github-helpers.mjs"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58088, "scanner": "repobility-threat-engine", "fingerprint": "ae87b9886e7a33037cf2776203e4a71fe18e6abcc9cb295845955cea4e72f7ca", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, val]) => `${key}=${val}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae87b9886e7a33037cf2776203e4a71fe18e6abcc9cb295845955cea4e72f7ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/determine-version-info.mjs"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58087, "scanner": "repobility-threat-engine", "fingerprint": "98975be43ffbb2d2593dabde3582892c0ff7a783088725142a00906559bf7728", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f) => `  - ${templateDir}/${f}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98975be43ffbb2d2593dabde3582892c0ff7a783088725142a00906559bf7728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/claude-task/prepare-claude-prompt.mjs"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58403, "scanner": "repobility-supply-chain", "fingerprint": "09f78c852259d857bd389429d9d57b09d5938d9677a26943d492e857cdd494a7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09f78c852259d857bd389429d9d57b09d5938d9677a26943d492e857cdd494a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-backport-bundle.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58402, "scanner": "repobility-supply-chain", "fingerprint": "eb9f27117000800b47a557d1a0dc1f290fa445a9c3160cc0b508001514ed856d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb9f27117000800b47a557d1a0dc1f290fa445a9c3160cc0b508001514ed856d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58401, "scanner": "repobility-supply-chain", "fingerprint": "c3d9867e2db66a952c71ff5beeb6e403a5c457645356ee0389f3419d733a60cf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3d9867e2db66a952c71ff5beeb6e403a5c457645356ee0389f3419d733a60cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sec-publish-fix.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58400, "scanner": "repobility-supply-chain", "fingerprint": "fba81c749507a7234452b45250357fd89c5549d3d08b526d148f32135dcdf8b4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fba81c749507a7234452b45250357fd89c5549d3d08b526d148f32135dcdf8b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sec-publish-fix.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58399, "scanner": "repobility-supply-chain", "fingerprint": "3f9ef4ba449eeae6c4c50035de60190e6dcd12a676a2b835d10628b84c4cc0f6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f9ef4ba449eeae6c4c50035de60190e6dcd12a676a2b835d10628b84c4cc0f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sec-publish-fix.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58398, "scanner": "repobility-supply-chain", "fingerprint": "65de74663772fe9cb4857fd64fb9e88cd129470abab54f90c775442493d01493", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65de74663772fe9cb4857fd64fb9e88cd129470abab54f90c775442493d01493"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-smoke.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58397, "scanner": "repobility-supply-chain", "fingerprint": "aa0c7839842ec4930bd425afb4e0c7656aa4f0a0979cf85bd905e2b0098649b9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa0c7839842ec4930bd425afb4e0c7656aa4f0a0979cf85bd905e2b0098649b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-smoke.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58396, "scanner": "repobility-supply-chain", "fingerprint": "91c30d8394a218a4927d1a481163affa22c5f74852943fe355001f8ad8e13293", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91c30d8394a218a4927d1a481163affa22c5f74852943fe355001f8ad8e13293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-smoke.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58395, "scanner": "repobility-supply-chain", "fingerprint": "f9ebae31db33fc5a4a0d2668fb656115d272125c5a322b80858984b77b24ee34", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9ebae31db33fc5a4a0d2668fb656115d272125c5a322b80858984b77b24ee34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-smoke.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58394, "scanner": "repobility-supply-chain", "fingerprint": "14fe624d87b6a6e971b04d8fcae282124b2b4f34f056fac3a9244a92aa266645", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14fe624d87b6a6e971b04d8fcae282124b2b4f34f056fac3a9244a92aa266645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build-smoke.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58393, "scanner": "repobility-supply-chain", "fingerprint": "4129c02fa37b28bfa174f882bff9f958f9fdabb67ceae4d9fbe8e76571193503", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4129c02fa37b28bfa174f882bff9f958f9fdabb67ceae4d9fbe8e76571193503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-notify-pr-status.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58392, "scanner": "repobility-supply-chain", "fingerprint": "9ab7471e8db670192dae02e453858b1d5b85e8bb574050ba06f566c2ceb60a19", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ab7471e8db670192dae02e453858b1d5b85e8bb574050ba06f566c2ceb60a19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-notify-pr-status.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58391, "scanner": "repobility-supply-chain", "fingerprint": "c919c9f02223cd5dc5118a8bdecc3008dfc962a98088ab6731cc247e4736e9a4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c919c9f02223cd5dc5118a8bdecc3008dfc962a98088ab6731cc247e4736e9a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-notify-pr-status.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58390, "scanner": "repobility-supply-chain", "fingerprint": "b0047be4533694a983bd45d844a6d96c2395b1e711ed0efd5ba5b50db55de85b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0047be4533694a983bd45d844a6d96c2395b1e711ed0efd5ba5b50db55de85b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-detect-new-packages.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58389, "scanner": "repobility-supply-chain", "fingerprint": "ce45a09011f68bcca6a4981981514eca1670b4fdaca7507304cbad02d0f78c59", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce45a09011f68bcca6a4981981514eca1670b4fdaca7507304cbad02d0f78c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-cleanup-abandoned-release-branches.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58388, "scanner": "repobility-supply-chain", "fingerprint": "357c74f6892106e652190dbbfe5c9aca194a74b01487c043f50c4b6cada1aa5a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|357c74f6892106e652190dbbfe5c9aca194a74b01487c043f50c4b6cada1aa5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/util-cleanup-abandoned-release-branches.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58387, "scanner": "repobility-supply-chain", "fingerprint": "860baecf6a82d6532095bbf80734e7673dd8582fbb88fce71f3ac0e83215f7e1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|860baecf6a82d6532095bbf80734e7673dd8582fbb88fce71f3ac0e83215f7e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-visual-storybook.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58386, "scanner": "repobility-supply-chain", "fingerprint": "fa678d928144be8e0da6650006806473a51037488bc33965b452f6a6fc5d7eb3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa678d928144be8e0da6650006806473a51037488bc33965b452f6a6fc5d7eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-visual-storybook.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58385, "scanner": "repobility-supply-chain", "fingerprint": "819ee6463367e0d00858d6ba0aa4ff359450fb62e95efe734b13d6fe83d98515", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|819ee6463367e0d00858d6ba0aa4ff359450fb62e95efe734b13d6fe83d98515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-evals-python.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58381, "scanner": "repobility-supply-chain", "fingerprint": "b1ff4f581317a545c375de2c6051c4c00d1e29a01dfa4234d3b03579c5d1e41e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1ff4f581317a545c375de2c6051c4c00d1e29a01dfa4234d3b03579c5d1e41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-publish.yml"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58380, "scanner": "repobility-supply-chain", "fingerprint": "5e6c1939548393e98e4cae029d50c4f8f9491492e3075770e7dedbcfafb621ca", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e6c1939548393e98e4cae029d50c4f8f9491492e3075770e7dedbcfafb621ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-publish.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58379, "scanner": "repobility-supply-chain", "fingerprint": "a644cdd67503d46cf6670d6bde9df9458492f0a2448a36fc38b95dbff79cd1c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a644cdd67503d46cf6670d6bde9df9458492f0a2448a36fc38b95dbff79cd1c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-pull-requests.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58378, "scanner": "repobility-supply-chain", "fingerprint": "3b01b3bf14ff645287b3ed7badf4d3c8260e344efef8e49cfb447c42ca686a0b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b01b3bf14ff645287b3ed7badf4d3c8260e344efef8e49cfb447c42ca686a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-pull-requests.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58377, "scanner": "repobility-supply-chain", "fingerprint": "55a792301c4fcc26aacf75c25ca6539325f232c4446c63596465f137e492089a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55a792301c4fcc26aacf75c25ca6539325f232c4446c63596465f137e492089a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-pull-requests.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 58376, "scanner": "repobility-supply-chain", "fingerprint": "24b03d7f77f4b6fa9e8c78284aeed27cda7fdf2fbebb2e384513d07a8466e386", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24b03d7f77f4b6fa9e8c78284aeed27cda7fdf2fbebb2e384513d07a8466e386"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-pull-requests.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58278, "scanner": "repobility-docker", "fingerprint": "bd790b3f0e35beed7dbd337efaf6e3c91663cda1416dc228003c9cb291d6a45b", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|bd790b3f0e35beed7dbd337efaf6e3c91663cda1416dc228003c9cb291d6a45b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58275, "scanner": "repobility-docker", "fingerprint": "1a43f2c77783ffd29779ef866c063c2852092c912e63d40422996c4be6d7e90b", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|1a43f2c77783ffd29779ef866c063c2852092c912e63d40422996c4be6d7e90b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58268, "scanner": "repobility-docker", "fingerprint": "598da0a114a9a918e0bef0f2f79199b0e16dc174f56b069aef2df3b1ef941f62", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|598da0a114a9a918e0bef0f2f79199b0e16dc174f56b069aef2df3b1ef941f62", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58265, "scanner": "repobility-docker", "fingerprint": "eda64077373e1d6328b0392d400dab69635aba294da82b98cd0a7239fdd4baf0", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker2_runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|eda64077373e1d6328b0392d400dab69635aba294da82b98cd0a7239fdd4baf0", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58263, "scanner": "repobility-docker", "fingerprint": "46b1c621fdb7a26f7942fd1735651b3be6ba106c2fce6f2fd11369433aea0bcc", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker2", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|46b1c621fdb7a26f7942fd1735651b3be6ba106c2fce6f2fd11369433aea0bcc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58260, "scanner": "repobility-docker", "fingerprint": "cfa34384847fbedd614134685b0de9b37aad7a28a1b3f6ae7aeeb267fa0e16ef", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker1_runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|cfa34384847fbedd614134685b0de9b37aad7a28a1b3f6ae7aeeb267fa0e16ef", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58258, "scanner": "repobility-docker", "fingerprint": "4b90acb26b353da33c3faaa0c99571968a6306a86b57a2c86d8586489a52c7ed", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker1", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4b90acb26b353da33c3faaa0c99571968a6306a86b57a2c86d8586489a52c7ed", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58255, "scanner": "repobility-docker", "fingerprint": "ac2541bfb5d2572363122edfb9ea15bb906bd289686a3306a5d0872b244c819d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ac2541bfb5d2572363122edfb9ea15bb906bd289686a3306a5d0872b244c819d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58248, "scanner": "repobility-docker", "fingerprint": "0c2eeed6bcb0611842f1dc822661af5fb40180f28906186166e20be8dd70f1b0", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_main1", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|0c2eeed6bcb0611842f1dc822661af5fb40180f28906186166e20be8dd70f1b0", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 173}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58246, "scanner": "repobility-docker", "fingerprint": "63dfdb2ba91eeb700b0705ef462fedb43695248e4403082d051a6f296ab70718", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_main2", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|63dfdb2ba91eeb700b0705ef462fedb43695248e4403082d051a6f296ab70718", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58244, "scanner": "repobility-docker", "fingerprint": "8ce72c54cd37d1ec812d9bd0f9cd118220974e60a6167406022a6c888a890705", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker2_runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8ce72c54cd37d1ec812d9bd0f9cd118220974e60a6167406022a6c888a890705", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58242, "scanner": "repobility-docker", "fingerprint": "a6135061361a5606364e47c5df8860481969d55b17bf84ca7d04fdddd2ce51d4", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker2", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a6135061361a5606364e47c5df8860481969d55b17bf84ca7d04fdddd2ce51d4", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58240, "scanner": "repobility-docker", "fingerprint": "0041cfdb61b318658ffa65fdcbdb360cd9fbd0c7835a5a410f7539e736738344", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker1_runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|0041cfdb61b318658ffa65fdcbdb360cd9fbd0c7835a5a410f7539e736738344", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58238, "scanner": "repobility-docker", "fingerprint": "6906d4945a54e6bc189b48d8cd04fa9e8bd92ba0c2af84d2aa58652a4d1ad168", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n_worker1", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|6906d4945a54e6bc189b48d8cd04fa9e8bd92ba0c2af84d2aa58652a4d1ad168", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58236, "scanner": "repobility-docker", "fingerprint": "4f50f4b42a35c4d10be9f168e847d16be48cd5aed392fcd6e820550abea4a202", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4f50f4b42a35c4d10be9f168e847d16be48cd5aed392fcd6e820550abea4a202", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58230, "scanner": "repobility-docker", "fingerprint": "ade1f9436217c79f07c30477f61f6b3113df665cba95675492fc9ee050d128cd", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "runners", "variable": "N8N_RUNNERS_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ade1f9436217c79f07c30477f61f6b3113df665cba95675492fc9ee050d128cd", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58227, "scanner": "repobility-docker", "fingerprint": "029666ec0d11dfcf02bd1cc2bf5aa27349b9125cf4d38f0e811e049a88d941e7", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|029666ec0d11dfcf02bd1cc2bf5aa27349b9125cf4d38f0e811e049a88d941e7", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58224, "scanner": "repobility-docker", "fingerprint": "53293e2a521debe90865e743d091dd0744cc90543faf3c4c504c81c545cb0a3d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|53293e2a521debe90865e743d091dd0744cc90543faf3c4c504c81c545cb0a3d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58217, "scanner": "repobility-docker", "fingerprint": "6ca33fc97b170a817b0a20413db6102b0c1c1101e56f9f02c00268d52f438953", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|6ca33fc97b170a817b0a20413db6102b0c1c1101e56f9f02c00268d52f438953", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58215, "scanner": "repobility-docker", "fingerprint": "4958bb46d780c72709815ec0901c82d4b7a7db7489231f9d7bededd15b2499d0", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "n8n", "variable": "DB_POSTGRESDB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4958bb46d780c72709815ec0901c82d4b7a7db7489231f9d7bededd15b2499d0", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 58212, "scanner": "repobility-docker", "fingerprint": "4f6dcac416884986b91cc81fdefa8ed1be3ca71de01241b9299463668d1c165f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4f6dcac416884986b91cc81fdefa8ed1be3ca71de01241b9299463668d1c165f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 58157, "scanner": "repobility-threat-engine", "fingerprint": "c1ddd91d4c61612bdccfc9d61eaf3f29648f6e4e5b6d9120d120a338068de395", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1ddd91d4c61612bdccfc9d61eaf3f29648f6e4e5b6d9120d120a338068de395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/ConversationalAgent/execute.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 58156, "scanner": "repobility-threat-engine", "fingerprint": "3ce2b2503a72cdc655e9e1c0553dfc2bf00d52e6b1d92f8e4f8235daacde902f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ce2b2503a72cdc655e9e1c0553dfc2bf00d52e6b1d92f8e4f8235daacde902f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/prompts/chains/compact.prompt.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 58155, "scanner": "repobility-threat-engine", "fingerprint": "642b73acca64fa04f6d416231491c59a641093ab236a10577304d4d98a8a2918", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|642b73acca64fa04f6d416231491c59a641093ab236a10577304d4d98a8a2918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/src/prompts/chains/categorization.prompt.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 58112, "scanner": "repobility-threat-engine", "fingerprint": "8d7891dea5da2d85b0ac184e55cb1e9f13a54bff1eea9241cd25899f8763d7b6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d7891dea5da2d85b0ac184e55cb1e9f13a54bff1eea9241cd25899f8763d7b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/evals/correctness.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 58111, "scanner": "repobility-threat-engine", "fingerprint": "9b11a451d2ba6e0a5627e95839d2b0c359666f17cccd05900a26e5bdcfbe679a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b11a451d2ba6e0a5627e95839d2b0c359666f17cccd05900a26e5bdcfbe679a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/evals/contains-keywords.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 58110, "scanner": "repobility-threat-engine", "fingerprint": "21a83f3ad29362c59e74a2232669bee9566be67b2cff4ca315060ff1e82d975d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21a83f3ad29362c59e74a2232669bee9566be67b2cff4ca315060ff1e82d975d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/evals/categorization.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58109, "scanner": "repobility-threat-engine", "fingerprint": "136f8d369aa99c97c43efafa4147f6f73b516e85e38d0c7400322a80ccaa1cbb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(filePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|136f8d369aa99c97c43efafa4147f6f73b516e85e38d0c7400322a80ccaa1cbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58108, "scanner": "repobility-threat-engine", "fingerprint": "cf6b6a99fada2a67abca6e4d2e8ce105c18137d192ccc3a63cad3f27dc5a17f8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(entry", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf6b6a99fada2a67abca6e4d2e8ce105c18137d192ccc3a63cad3f27dc5a17f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/@n8n/agents/src/runtime/model-factory.ts"}, "region": {"startLine": 263}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58107, "scanner": "repobility-threat-engine", "fingerprint": "a8beed7776c0b353e2507b916acddf8a691890dbb098c940d0ace124be8a700c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(\n\t\tfilePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8beed7776c0b353e2507b916acddf8a691890dbb098c940d0ace124be8a700c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/trim-fe-packageJson.js"}, "region": {"startLine": 7}}}]}]}]}