{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "A service worker without a manifest often means the PWA install surface is incomplete or inconsistent across devices."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED046", "name": "[MINED046] Dart Print (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED046] Dart Print (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `r-lib/actions/check-r-package` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `r-lib/actions/check-r-package` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: r-lib/actions/check-r-package@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED025", "name": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection.", "shortDescription": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.PLOTLY_API_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.PLOTLY_API_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PLOTLY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/976"}, "properties": {"repository": "plotly/plotly.R", "repoUrl": "https://github.com/plotly/plotly.R", "branch": "master"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 91509, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 91508, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 91507, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 91500, "scanner": "repobility-threat-engine", "fingerprint": "1b73462a53d2018101355e467e55fddfa72e3c591acdbe44f583b0a238007800", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|demo/custom-javascript.r|17|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/custom-javascript.R"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 91467, "scanner": "repobility-threat-engine", "fingerprint": "59a07e07dcb2f9d770febd1012bc997d774290a36a3a2300dd95fa552338ce9c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|r/shiny.r|273|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/shiny.R"}, "region": {"startLine": 273}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 91466, "scanner": "repobility-threat-engine", "fingerprint": "87c0f0698fc7d26876124b0d5a310a87f5cad063606c6f290a6df47808508407", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|r/highlight.r|206|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/highlight.R"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 91465, "scanner": "repobility-threat-engine", "fingerprint": "a000896a982832a06dfea790237a2850fdf855f83b4ffca8a3336821c2ffac68", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|r/api.r|152|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 152}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 91506, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 91505, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 91504, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 91503, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 91502, "scanner": "repobility-threat-engine", "fingerprint": "23dfd78df2e683cbd09425318ab48bba082301250e1b992138ca65d785fcd0ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23dfd78df2e683cbd09425318ab48bba082301250e1b992138ca65d785fcd0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/custom-javascript.R"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 91501, "scanner": "repobility-threat-engine", "fingerprint": "905ed5ef0511a2d2712e42beb414c03cfa973e7592e38f2db5a767c77a52d03b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|905ed5ef0511a2d2712e42beb414c03cfa973e7592e38f2db5a767c77a52d03b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/custom-javascript.R"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 91499, "scanner": "repobility-threat-engine", "fingerprint": "1b0fc296e100dc317655c849401c51a960908f620a6a4ddce8b7c47abae2ddb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b0fc296e100dc317655c849401c51a960908f620a6a4ddce8b7c47abae2ddb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/sf.R"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 91491, "scanner": "repobility-threat-engine", "fingerprint": "98b016da3466d01ab79a255d3eb96782343be555f1780d7fd00791ad11ae38d2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|98b016da3466d01ab79a255d3eb96782343be555f1780d7fd00791ad11ae38d2", "aggregated_count": 3}}}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 91490, "scanner": "repobility-threat-engine", "fingerprint": "4c6a6abca8c67ce61afd2f918273ac63178245c80e9f66c1de30853500a04265", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c6a6abca8c67ce61afd2f918273ac63178245c80e9f66c1de30853500a04265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/print.R"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 91489, "scanner": "repobility-threat-engine", "fingerprint": "e339e564667457c26d59bafbe880daa72dcd2bd31c292a367aa023755b87e241", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e339e564667457c26d59bafbe880daa72dcd2bd31c292a367aa023755b87e241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/plotly_data.R"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 91488, "scanner": "repobility-threat-engine", "fingerprint": "766a8296cac8ea4c39883b4361e9194043e97bce3d9bfd55365b8fea76550a32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|766a8296cac8ea4c39883b4361e9194043e97bce3d9bfd55365b8fea76550a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/dev.R"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 91484, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 91483, "scanner": "repobility-threat-engine", "fingerprint": "784b343d16328eeaf2193fb6d319201b4fe0fd91e6afe069b72fbcdb4978fe5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|784b343d16328eeaf2193fb6d319201b4fe0fd91e6afe069b72fbcdb4978fe5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/ggridges.R"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 91482, "scanner": "repobility-threat-engine", "fingerprint": "1b6423ca5801506d261700428f837f38e0f630e42316de560339cc6316511080", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b6423ca5801506d261700428f837f38e0f630e42316de560339cc6316511080"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api_exports.R"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 91481, "scanner": "repobility-threat-engine", "fingerprint": "027bd3d410fa913b06e8379b48e2ec7972b6b3893c800acdf6f2d526a4b641f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|027bd3d410fa913b06e8379b48e2ec7972b6b3893c800acdf6f2d526a4b641f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED022", "level": "none", "message": {"text": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 91474, "scanner": "repobility-threat-engine", "fingerprint": "2bb54d96ab13a6373cda3c5978d52bb54cf401263ef239e84f53641b82a9d4c3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2bb54d96ab13a6373cda3c5978d52bb54cf401263ef239e84f53641b82a9d4c3", "aggregated_count": 8}}}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 91498, "scanner": "repobility-threat-engine", "fingerprint": "72c39c45e32e31833611f63eff197b98e9350bf38c9e39e3a3016547d23e1604", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72c39c45e32e31833611f63eff197b98e9350bf38c9e39e3a3016547d23e1604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/update_plotlyjs.R"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 91497, "scanner": "repobility-threat-engine", "fingerprint": "8a1a79cbf0c8d96ba643e1d51fdc1126c579b2cdf75f8b587c73f50dcd0514bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a1a79cbf0c8d96ba643e1d51fdc1126c579b2cdf75f8b587c73f50dcd0514bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/sf.R"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 91496, "scanner": "repobility-threat-engine", "fingerprint": "39890cee112f5016d3685b79f5968b85d9642c409e2e4c4ec86c311fb72f961a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39890cee112f5016d3685b79f5968b85d9642c409e2e4c4ec86c311fb72f961a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/orca.R"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 91495, "scanner": "repobility-threat-engine", "fingerprint": "89c91e879f76b75ed5d297aec15da71481e50e434d06edb2e006f4edb1077912", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89c91e879f76b75ed5d297aec15da71481e50e434d06edb2e006f4edb1077912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/update_plotlyjs.R"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 91494, "scanner": "repobility-threat-engine", "fingerprint": "62ca257e9950140fb3db2c8248046befae9b00e3b2647760332c711cce5b6292", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62ca257e9950140fb3db2c8248046befae9b00e3b2647760332c711cce5b6292"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/sf.R"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 91493, "scanner": "repobility-threat-engine", "fingerprint": "0d7aa22ddf1ea627dbc829de2c8c523fb42213db29fa2d0df7b09202d50bceef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d7aa22ddf1ea627dbc829de2c8c523fb42213db29fa2d0df7b09202d50bceef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/orca.R"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 91487, "scanner": "repobility-threat-engine", "fingerprint": "a283522d84f666a41bfe5ebe0438c39e7381c29e6fac6eccb2328b09ea0a0734", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a283522d84f666a41bfe5ebe0438c39e7381c29e6fac6eccb2328b09ea0a0734"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/print.R"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 91486, "scanner": "repobility-threat-engine", "fingerprint": "691ed0e8addb02f60d8ce1077e0fde23735ab571ba3583a90cf39242395232b9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|691ed0e8addb02f60d8ce1077e0fde23735ab571ba3583a90cf39242395232b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/plotly_example.R"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 91485, "scanner": "repobility-threat-engine", "fingerprint": "d009659a77b934726acd1a2ee2bd61ea97187a49faa8abdd3f5466ad763bd7fb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n    g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d009659a77b934726acd1a2ee2bd61ea97187a49faa8abdd3f5466ad763bd7fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api_exports.R"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `r-lib/actions/check-r-package` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 91461, "scanner": "repobility-supply-chain", "fingerprint": "81527f33cb9a745ed231c6c5e4cc26666757737cb4e9e8fe47cccca6b59d09d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81527f33cb9a745ed231c6c5e4cc26666757737cb4e9e8fe47cccca6b59d09d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 91460, "scanner": "repobility-supply-chain", "fingerprint": "64c32cabf2d795d847c36ec024c4fa271d19ee5a18343ca89769f61920c73ef1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64c32cabf2d795d847c36ec024c4fa271d19ee5a18343ca89769f61920c73ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 91459, "scanner": "repobility-supply-chain", "fingerprint": "2ca073baeb2d815b103d0a7d385a2d54db8fda00ce9119b54bdf11cdbd9f9847", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ca073baeb2d815b103d0a7d385a2d54db8fda00ce9119b54bdf11cdbd9f9847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `r-lib/actions/setup-r-dependencies` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 91458, "scanner": "repobility-supply-chain", "fingerprint": "7fa59b7aa814132d493aa39bf36f897cc20202c3e62ab3a74547238c72c15b1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fa59b7aa814132d493aa39bf36f897cc20202c3e62ab3a74547238c72c15b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `r-lib/actions/setup-pandoc` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 91457, "scanner": "repobility-supply-chain", "fingerprint": "9b8ba1451d4bb629bc26889f0f23482ea83957ae1ff93a9c220d0def99b029f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b8ba1451d4bb629bc26889f0f23482ea83957ae1ff93a9c220d0def99b029f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `r-lib/actions/setup-r` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 91456, "scanner": "repobility-supply-chain", "fingerprint": "4ec84d71b756a4441df1723eaddb69a02b9fe3b59fdfaee4e31da1e7c25b21d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ec84d71b756a4441df1723eaddb69a02b9fe3b59fdfaee4e31da1e7c25b21d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 91455, "scanner": "repobility-supply-chain", "fingerprint": "33f4ce4282b48afd938e4df958cf3ce8f90dcaf39f827dc2313830d057df6c4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33f4ce4282b48afd938e4df958cf3ce8f90dcaf39f827dc2313830d057df6c4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 91454, "scanner": "repobility-supply-chain", "fingerprint": "980544e952c1da7c6372da52c14189a2ae3a520e4c13fb2ae4fc9d94f5ab903f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|980544e952c1da7c6372da52c14189a2ae3a520e4c13fb2ae4fc9d94f5ab903f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 91453, "scanner": "repobility-supply-chain", "fingerprint": "c804c59e167854471dc42a6f36f77379d6f3e37b4ee8c6131e0cd41164cfe13e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c804c59e167854471dc42a6f36f77379d6f3e37b4ee8c6131e0cd41164cfe13e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 91452, "scanner": "repobility-supply-chain", "fingerprint": "ce8cfbeec27cfa70c207918dc859d5067077d1d1a5542d00f1a9fbf651193414", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce8cfbeec27cfa70c207918dc859d5067077d1d1a5542d00f1a9fbf651193414"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 91451, "scanner": "repobility-supply-chain", "fingerprint": "ecc2f4bcf7be170936bf394a8669e962c822481ff7f29f21ac04f2e2fd2e0451", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecc2f4bcf7be170936bf394a8669e962c822481ff7f29f21ac04f2e2fd2e0451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 91450, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 91492, "scanner": "repobility-threat-engine", "fingerprint": "5a8c3b3544c2b0e8dced24a1a8851c5831c842523c61be9acca9046f6eb2631f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a8c3b3544c2b0e8dced24a1a8851c5831c842523c61be9acca9046f6eb2631f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/kaleido.R"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 91480, "scanner": "repobility-threat-engine", "fingerprint": "44c2953c873a5352e9a3f5bd2286dabf3db8de2c2a18e80627b8173261552f75", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44c2953c873a5352e9a3f5bd2286dabf3db8de2c2a18e80627b8173261552f75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/shiny.R"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 91479, "scanner": "repobility-threat-engine", "fingerprint": "70c6e2b9dceea60c20c82d6fc436fc5737a2420d7deb3feffda1001993b4feb2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70c6e2b9dceea60c20c82d6fc436fc5737a2420d7deb3feffda1001993b4feb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/highlight.R"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 91478, "scanner": "repobility-threat-engine", "fingerprint": "1ad1b6c989ced8cf6e3a9395c87b7983747ae64fbfc0d426bae7dd3301b555bd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ad1b6c989ced8cf6e3a9395c87b7983747ae64fbfc0d426bae7dd3301b555bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 91477, "scanner": "repobility-threat-engine", "fingerprint": "6c174e3f73689670e05cdc19c3bbfadc7e264d9cc283e55938d18abb6faa0473", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c174e3f73689670e05cdc19c3bbfadc7e264d9cc283e55938d18abb6faa0473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/shiny.R"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 91476, "scanner": "repobility-threat-engine", "fingerprint": "5b1185c3949a081bb10b8ffbe891458d1c7dfbe288f5fd745c80210c76d9ef03", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b1185c3949a081bb10b8ffbe891458d1c7dfbe288f5fd745c80210c76d9ef03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/highlight.R"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 91475, "scanner": "repobility-threat-engine", "fingerprint": "722e860e0d631c64c338a63e8b3da0244cd18b2e97ad44d7b8c147b12f7a7680", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|722e860e0d631c64c338a63e8b3da0244cd18b2e97ad44d7b8c147b12f7a7680"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 91473, "scanner": "repobility-threat-engine", "fingerprint": "22a523b1daa84d6e8dbfac99428e9058ab54e1dd4a3817a82f715b1379389f5f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22a523b1daa84d6e8dbfac99428e9058ab54e1dd4a3817a82f715b1379389f5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/export.R"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 91472, "scanner": "repobility-threat-engine", "fingerprint": "2079346944456370bef53f530849f212abafe74bfe9fe575888b2829516811dc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2079346944456370bef53f530849f212abafe74bfe9fe575888b2829516811dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/embed.R"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 91471, "scanner": "repobility-threat-engine", "fingerprint": "cf48fc11283778d0f4f03a2a5fb46ebaadada9630b555e1d447e07e70ccc9582", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf48fc11283778d0f4f03a2a5fb46ebaadada9630b555e1d447e07e70ccc9582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 91470, "scanner": "repobility-threat-engine", "fingerprint": "d7a513dab53eb6623cc7fff2e6ad77afa0b06a97b8247731f5049d71d372f4c2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7a513dab53eb6623cc7fff2e6ad77afa0b06a97b8247731f5049d71d372f4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/shiny.R"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 91469, "scanner": "repobility-threat-engine", "fingerprint": "41d998a12b49e2fe3c59912e52f207225e0cde797ac2184c56f7e8ce54c47c10", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41d998a12b49e2fe3c59912e52f207225e0cde797ac2184c56f7e8ce54c47c10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/highlight.R"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 91468, "scanner": "repobility-threat-engine", "fingerprint": "133ae34364d12b4b11a5ed68cf636bdad70eac6f01ccfc148661847b1f7857fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|133ae34364d12b4b11a5ed68cf636bdad70eac6f01ccfc148661847b1f7857fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "R/api.R"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PLOTLY_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 91464, "scanner": "repobility-supply-chain", "fingerprint": "3c82ef90bb68ee750d323a63f274d95be15f7f4ae6a7591f5b0ef1f84671b9a5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c82ef90bb68ee750d323a63f274d95be15f7f4ae6a7591f5b0ef1f84671b9a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PLOTLY_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 91463, "scanner": "repobility-supply-chain", "fingerprint": "a337042ec43f68184812f30136297f01a6e10cd5a6e8de1d82d01e2cf32e0001", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a337042ec43f68184812f30136297f01a6e10cd5a6e8de1d82d01e2cf32e0001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MAPBOX_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 91462, "scanner": "repobility-supply-chain", "fingerprint": "1ca061fdc1a52317fa1094173be2dabeef5b1cc2068d68a56d35b1748f431479", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ca061fdc1a52317fa1094173be2dabeef5b1cc2068d68a56d35b1748f431479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/R-CMD-check.yaml"}, "region": {"startLine": 44}}}]}]}]}