{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resol", "shortDescription": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible inst"}, "fullDescription": {"text": "Replace `requests` with `requests==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `parse_json_vtt_transcript` has cognitive complexity 24 (SonarSource scale", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `parse_json_vtt_transcript` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 24."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `OSDKDev/lock-issues` pinned to mutable ref `@v1.2`: `uses: OSDKDev/lock-issues@v1.2` resolves at work", "shortDescription": {"text": "[MINED115] Action `OSDKDev/lock-issues` pinned to mutable ref `@v1.2`: `uses: OSDKDev/lock-issues@v1.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: OSDKDev/lock-issues@<40-char-sha>  # v1.2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`", "shortDescription": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import email` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/753"}, "properties": {"repository": "microsoft/generative-ai-for-beginners", "repoUrl": "https://github.com/microsoft/generative-ai-for-beginners", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62804, "scanner": "repobility-supply-chain", "fingerprint": "e62a65d1629a95c0e12212b6e6995388195edbf73b593845b8687ba13b8553cc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e62a65d1629a95c0e12212b6e6995388195edbf73b593845b8687ba13b8553cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pillow` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62803, "scanner": "repobility-supply-chain", "fingerprint": "f357d2bf10762956a4661d679bafe10aae289610163dbab22e8b817e5eb04585", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f357d2bf10762956a4661d679bafe10aae289610163dbab22e8b817e5eb04585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62802, "scanner": "repobility-supply-chain", "fingerprint": "544d341ed5b1acc2177b52bca25b63c4ac43c26d5e4a860b6d443345bf156c34", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|544d341ed5b1acc2177b52bca25b63c4ac43c26d5e4a860b6d443345bf156c34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-dotenv` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62801, "scanner": "repobility-supply-chain", "fingerprint": "eb4d59da2083c32dd92f4bbdb326d6f236a52aaaa73fc8bf78b44ff85ec42998", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb4d59da2083c32dd92f4bbdb326d6f236a52aaaa73fc8bf78b44ff85ec42998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scikit-learn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62800, "scanner": "repobility-supply-chain", "fingerprint": "0872a9721555ffa0c82d4c8a2861795b15cafaf7c17a06c60a5e42f357d8feff", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0872a9721555ffa0c82d4c8a2861795b15cafaf7c17a06c60a5e42f357d8feff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `azure-ai-inference` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62799, "scanner": "repobility-supply-chain", "fingerprint": "32aec96a0f7abb741a5177276a385b4b4d7e41acf33fc63b1def01e72d44e591", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32aec96a0f7abb741a5177276a385b4b4d7e41acf33fc63b1def01e72d44e591"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `tiktoken` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 62798, "scanner": "repobility-supply-chain", "fingerprint": "74c70ed248d721c20d8248cc9681e899014ec9bd19a2abce92e4848a6767ba0f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74c70ed248d721c20d8248cc9681e899014ec9bd19a2abce92e4848a6767ba0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 62791, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_json_vtt_transcript` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=3, for=1, if=10, nested_bonus=10."}, "properties": {"repobilityId": 62768, "scanner": "repobility-threat-engine", "fingerprint": "32ec4121f44eab0594dc34fe81922f63ef841861d38c618f0a6a1c90ac6bf7e0", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_json_vtt_transcript", "breakdown": {"if": 10, "for": 1, "else": 3, "nested_bonus": 10}, "complexity": 24, "correlation_key": "fp|32ec4121f44eab0594dc34fe81922f63ef841861d38c618f0a6a1c90ac6bf7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_bucket.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7180740ed400ec1d18ddf19361de450c1044ba68885dd2b7933520422bbacdd7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "09-building-image-applications/python/aoai-app-variation.py", "duplicate_line": 2, "correlation_key": "fp|7180740ed400ec1d18ddf19361de450c1044ba68885dd2b7933520422bbacdd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-solution.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8b860a2d3af30724ac23096d40a0fef9dc25f40553f35e12a18e3dae1efce979", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "09-building-image-applications/python/aoai-app-variation.py", "duplicate_line": 2, "correlation_key": "fp|8b860a2d3af30724ac23096d40a0fef9dc25f40553f35e12a18e3dae1efce979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e26bf06344b08ac4934baa9821b4ae9d7de307c9ce01d868f4ac0bb7f9f210e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "08-building-search-applications/scripts/transcript_enrich_embeddings.py", "duplicate_line": 99, "correlation_key": "fp|7e26bf06344b08ac4934baa9821b4ae9d7de307c9ce01d868f4ac0bb7f9f210e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_summaries.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e260c703502231a50ca04953c885184e80288f055542709116ba118e595e1761", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "08-building-search-applications/scripts/transcript_enrich_speaker.py", "duplicate_line": 64, "correlation_key": "fp|e260c703502231a50ca04953c885184e80288f055542709116ba118e595e1761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_summaries.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b152df759032e54d3702769e0d5509813ec33ad1ffa6e1af46fba516916335a7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "06-text-generation-apps/python/aoai-study-buddy.py", "duplicate_line": 11, "correlation_key": "fp|b152df759032e54d3702769e0d5509813ec33ad1ffa6e1af46fba516916335a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "06-text-generation-apps/python/oai-study-buddy.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `make_safe_request` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=1, if=1, nested_bonus=3, or=1."}, "properties": {"repobilityId": 62770, "scanner": "repobility-threat-engine", "fingerprint": "914bac597937951b2ad5ef29b04329cad89397d5b7c9a832fb2dd40ff701233c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "make_safe_request", "breakdown": {"if": 1, "or": 1, "for": 1, "except": 1, "continue": 1, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|914bac597937951b2ad5ef29b04329cad89397d5b7c9a832fb2dd40ff701233c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/python/api_utils.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `process_queue` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, if=3, nested_bonus=3, while=1."}, "properties": {"repobilityId": 62769, "scanner": "repobility-threat-engine", "fingerprint": "ca47e4a662ae676cf6cc07b0f09912487db4a20f9bb8f445318599c374da4faf", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "process_queue", "breakdown": {"if": 3, "while": 1, "continue": 3, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|ca47e4a662ae676cf6cc07b0f09912487db4a20f9bb8f445318599c374da4faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_embeddings.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 62790, "scanner": "repobility-threat-engine", "fingerprint": "25e6b3f419be807936879eff616e3a1b62446c5adf0e888a7020a5dd46b4e9df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25e6b3f419be807936879eff616e3a1b62446c5adf0e888a7020a5dd46b4e9df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/python/api_utils.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 62789, "scanner": "repobility-threat-engine", "fingerprint": "edd777e14c248a980b22fd6e166125e675daba0746b5abbb81d5c328e7337e7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edd777e14c248a980b22fd6e166125e675daba0746b5abbb81d5c328e7337e7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/oai-app.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 62788, "scanner": "repobility-threat-engine", "fingerprint": "f04145b547713216b8738699582e93c30c88052a42528f89a77eeea3600420e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f04145b547713216b8738699582e93c30c88052a42528f89a77eeea3600420e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/oai-app-variation.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 62787, "scanner": "repobility-threat-engine", "fingerprint": "cbbf5f58cfa368beb8f4f38fab5752f7165ff85efe6ba7f34305603e148feeda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cbbf5f58cfa368beb8f4f38fab5752f7165ff85efe6ba7f34305603e148feeda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app-variation.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 62786, "scanner": "repobility-threat-engine", "fingerprint": "1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "aggregated_count": 2}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 62785, "scanner": "repobility-threat-engine", "fingerprint": "588e897bcab5091dac3be076d6c0bf83fd2abe5ffe83cfdbfb18069e89eeb1d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|588e897bcab5091dac3be076d6c0bf83fd2abe5ffe83cfdbfb18069e89eeb1d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-solution.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 62784, "scanner": "repobility-threat-engine", "fingerprint": "0f9c86ef6f959485961dbbe45d29a9641cf66c5eb9010e1d4cffa4c57bc713bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f9c86ef6f959485961dbbe45d29a9641cf66c5eb9010e1d4cffa4c57bc713bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 62783, "scanner": "repobility-threat-engine", "fingerprint": "9af4aa0d661623843ba1c68cc95906ef136508161452cd6952b557739bc51bd3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9af4aa0d661623843ba1c68cc95906ef136508161452cd6952b557739bc51bd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app-variation.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 62782, "scanner": "repobility-threat-engine", "fingerprint": "130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 62778, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 62774, "scanner": "repobility-threat-engine", "fingerprint": "fb255cdeacd3ea9f4b8ac23b87dc379a8b47dac562c2ffb66fe5e89bf5e09d20", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"Increase Max Tokens and try again\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|logger.warning increase max tokens and try again"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_summaries.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 62767, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 62763, "scanner": "repobility-threat-engine", "fingerprint": "e9bef44272652a5ecb502f14f98158bf299b66a7cb41ba7aeb53e7c0265b59b2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e9bef44272652a5ecb502f14f98158bf299b66a7cb41ba7aeb53e7c0265b59b2", "aggregated_count": 3}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 62762, "scanner": "repobility-threat-engine", "fingerprint": "f27616a4c64619506dac0091b174cea1429a576bc0188d876908dd69630d6458", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f27616a4c64619506dac0091b174cea1429a576bc0188d876908dd69630d6458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "06-text-generation-apps/python/aoai-study-buddy.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 62761, "scanner": "repobility-threat-engine", "fingerprint": "9c056dac14c3b39d0873d324e5b323b79093844466ba057e10775bfa268ccd91", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c056dac14c3b39d0873d324e5b323b79093844466ba057e10775bfa268ccd91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "06-text-generation-apps/python/aoai-history-bot.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 62760, "scanner": "repobility-threat-engine", "fingerprint": "bc058507b7289c45d226d542166b2d4367a2c9c055a8bd008061de4f1fbe8426", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc058507b7289c45d226d542166b2d4367a2c9c055a8bd008061de4f1fbe8426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "06-text-generation-apps/python/aoai-app-recipe.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 62758, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62757, "scanner": "repobility-threat-engine", "fingerprint": "c73408c883a3dba4dc3fdbb773963137aedca946702f422cab01c832fa5e73c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c73408c883a3dba4dc3fdbb773963137aedca946702f422cab01c832fa5e73c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "06-text-generation-apps/js-githubmodels/app.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62756, "scanner": "repobility-threat-engine", "fingerprint": "27d44f9631b5dfec2ef0b50162d02845205e6d57e37ce438c7b1e9a4f86cbc4a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27d44f9631b5dfec2ef0b50162d02845205e6d57e37ce438c7b1e9a4f86cbc4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "05-advanced-prompts/javascript/solution.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62755, "scanner": "repobility-threat-engine", "fingerprint": "33a337f788dae48e985b00a0a95be6f6f2b1426d671cb1167700bb62f87e9c1f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33a337f788dae48e985b00a0a95be6f6f2b1426d671cb1167700bb62f87e9c1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "05-advanced-prompts/javascript/assignment.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `OSDKDev/lock-issues` pinned to mutable ref `@v1.2`: `uses: OSDKDev/lock-issues@v1.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62820, "scanner": "repobility-supply-chain", "fingerprint": "5b974713d8154d463294c2e8d1dfe128046462f69e7f50ef1aba3fcbb7a5a4d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b974713d8154d463294c2e8d1dfe128046462f69e7f50ef1aba3fcbb7a5a4d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lock.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `john0isaac/action-check-markdown` pinned to mutable ref `@v1.1.0`: `uses: john0isaac/action-check-markdown@v1.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62819, "scanner": "repobility-supply-chain", "fingerprint": "585144e52ad143493f977d19e2725fce82167479e937d29a5351a84918a80d4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|585144e52ad143493f977d19e2725fce82167479e937d29a5351a84918a80d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62818, "scanner": "repobility-supply-chain", "fingerprint": "926238560a91b46e3f3f22ab1b186803fc5a17f3f2d18b45de8f5a51de3dbb6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|926238560a91b46e3f3f22ab1b186803fc5a17f3f2d18b45de8f5a51de3dbb6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `john0isaac/action-check-markdown` pinned to mutable ref `@v1.1.0`: `uses: john0isaac/action-check-markdown@v1.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62817, "scanner": "repobility-supply-chain", "fingerprint": "873bbe8b9c3db06df19dad73fab0210e1d846fc6232b5fe1ee750a3d80e1f380", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|873bbe8b9c3db06df19dad73fab0210e1d846fc6232b5fe1ee750a3d80e1f380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62816, "scanner": "repobility-supply-chain", "fingerprint": "b25ec5018e640ecd6619baedecab067f861491375f180ee702a35183e1e5e170", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b25ec5018e640ecd6619baedecab067f861491375f180ee702a35183e1e5e170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `john0isaac/action-check-markdown` pinned to mutable ref `@v1.1.0`: `uses: john0isaac/action-check-markdown@v1.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62815, "scanner": "repobility-supply-chain", "fingerprint": "ca3d1e0d9b496edd30b19c4d4555a3496394bd0513c4179c81c31bc86926909b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca3d1e0d9b496edd30b19c4d4555a3496394bd0513c4179c81c31bc86926909b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62814, "scanner": "repobility-supply-chain", "fingerprint": "dbde8ed645da768c4e25e5358bb989788ebf568511caa3fd1431f8090f87d114", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbde8ed645da768c4e25e5358bb989788ebf568511caa3fd1431f8090f87d114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `john0isaac/action-check-markdown` pinned to mutable ref `@v1.1.0`: `uses: john0isaac/action-check-markdown@v1.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62813, "scanner": "repobility-supply-chain", "fingerprint": "e50484673907c0949262df06b7da51a185847baf0851ec42b90a4f86f54d5ecc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e50484673907c0949262df06b7da51a185847baf0851ec42b90a4f86f54d5ecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62812, "scanner": "repobility-supply-chain", "fingerprint": "f6068e0f5449b514515d0cb82722689d79d0c2c6a8c5eded5673b6645b148dbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6068e0f5449b514515d0cb82722689d79d0c2c6a8c5eded5673b6645b148dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `john0isaac/action-check-markdown` pinned to mutable ref `@v1.1.0`: `uses: john0isaac/action-check-markdown@v1.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62811, "scanner": "repobility-supply-chain", "fingerprint": "ba34ab98287d5c30061fa04d95bc38a430b0a4616b47a16b2d9ccc20fcb0646b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba34ab98287d5c30061fa04d95bc38a430b0a4616b47a16b2d9ccc20fcb0646b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62810, "scanner": "repobility-supply-chain", "fingerprint": "274871f9cbb05b236e7c9f22c5fc95be197e4ea1f66d150c99530f547f70e6d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|274871f9cbb05b236e7c9f22c5fc95be197e4ea1f66d150c99530f547f70e6d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-markdown.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62809, "scanner": "repobility-supply-chain", "fingerprint": "8df7533b776efe71501e8938ec0f363d8ed97113dcc6c79e2ed989a3ec5ff51b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8df7533b776efe71501e8938ec0f363d8ed97113dcc6c79e2ed989a3ec5ff51b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pozil/auto-assign-issue` pinned to mutable ref `@v2`: `uses: pozil/auto-assign-issue@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62808, "scanner": "repobility-supply-chain", "fingerprint": "6b058810bae32dda74bcfa53e8aaddf45896022e1613fc1b15a002889d6ca6d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b058810bae32dda74bcfa53e8aaddf45896022e1613fc1b15a002889d6ca6d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-pr.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62807, "scanner": "repobility-supply-chain", "fingerprint": "b6169e5c43196b0acd5f26db9aa5769ba53a995f5a08ca036b7dd62a2bd6da85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6169e5c43196b0acd5f26db9aa5769ba53a995f5a08ca036b7dd62a2bd6da85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-pr.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pozil/auto-assign-issue` pinned to mutable ref `@v2`: `uses: pozil/auto-assign-issue@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62806, "scanner": "repobility-supply-chain", "fingerprint": "45a1e2c07d1568088c028106444759484d9baca39445e25c9b9288364e17e661", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45a1e2c07d1568088c028106444759484d9baca39445e25c9b9288364e17e661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-issue.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 62805, "scanner": "repobility-supply-chain", "fingerprint": "5e6304e10058e5213168b2c51c2c09f0ab122a07ad8009cb6eaf3c56b00fef1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e6304e10058e5213168b2c51c2c09f0ab122a07ad8009cb6eaf3c56b00fef1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-issue.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 62781, "scanner": "repobility-threat-engine", "fingerprint": "1a157be81e6a4be997888273850c4de2c73a6e472e361b18bfd5915e3f2fe280", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a157be81e6a4be997888273850c4de2c73a6e472e361b18bfd5915e3f2fe280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-solution.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 62780, "scanner": "repobility-threat-engine", "fingerprint": "3d1a54c2ac190ac7fd393f4aced2abe30af3a9eaac2016ee6de54406819502fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d1a54c2ac190ac7fd393f4aced2abe30af3a9eaac2016ee6de54406819502fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 62779, "scanner": "repobility-threat-engine", "fingerprint": "5355b9db6946e5fca0b3c216983b3bcf132e4ed79f7bd913a2c4225b77d47481", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5355b9db6946e5fca0b3c216983b3bcf132e4ed79f7bd913a2c4225b77d47481"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app-variation.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62777, "scanner": "repobility-threat-engine", "fingerprint": "2b574e513a6575a34cafe128655ca0a9abed7c7f57867af35fb38f91ed2637a2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(image_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b574e513a6575a34cafe128655ca0a9abed7c7f57867af35fb38f91ed2637a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-solution.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62776, "scanner": "repobility-threat-engine", "fingerprint": "a3ba6dd7d7b4a89c99d7fb77efd1e6ae4a849cce9323bcb847f4a9bc8508731b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(image_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3ba6dd7d7b4a89c99d7fb77efd1e6ae4a849cce9323bcb847f4a9bc8508731b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62775, "scanner": "repobility-threat-engine", "fingerprint": "6683079686bf1955a336d705634e58110eb50263c18f3247cd063c5bd8d84ab1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(image_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6683079686bf1955a336d705634e58110eb50263c18f3247cd063c5bd8d84ab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "09-building-image-applications/python/aoai-app-variation.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 62773, "scanner": "repobility-threat-engine", "fingerprint": "b063a40700607cf106196bc2be1426bbb969823376da7b98f6a8555b5cc93dec", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|166|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_summaries.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 62772, "scanner": "repobility-threat-engine", "fingerprint": "50aec34ac7b35aedee3a01ae37e3b823503336d2f263044a9c288266804dc632", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|23|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_lite.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 62771, "scanner": "repobility-threat-engine", "fingerprint": "3d412450a02b13ec48bab3800414f14c9b4f3b0308d67292852256592140ae41", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|63|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_embeddings.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62766, "scanner": "repobility-threat-engine", "fingerprint": "0b34da1584e4fcd9fdbdb0b9dcfa9e2fad41570aecf4fe57a9f87fb8bedd5804", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress.update(task, advance=1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b34da1584e4fcd9fdbdb0b9dcfa9e2fad41570aecf4fe57a9f87fb8bedd5804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_speaker.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62765, "scanner": "repobility-threat-engine", "fingerprint": "aec385e6be4c54d8aacde55c36a2a6b57d960b954616aea10f378f2cf1b6946e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress.update(task, advance=1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aec385e6be4c54d8aacde55c36a2a6b57d960b954616aea10f378f2cf1b6946e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_embeddings.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62764, "scanner": "repobility-threat-engine", "fingerprint": "ff246bb5bcf875d2dff1ca0c6e02405386e5091ea561a5cbc1949da54eed4f3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress.update(task1, advance=1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff246bb5bcf875d2dff1ca0c6e02405386e5091ea561a5cbc1949da54eed4f3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "08-building-search-applications/scripts/transcript_enrich_bucket.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 62759, "scanner": "repobility-threat-engine", "fingerprint": "a43aedcb5adcf23f1d06e13bb8e776deea6ab7b9fce7c420e22ff5123fd20a0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.route('/', methods=['GET', 'POST'])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a43aedcb5adcf23f1d06e13bb8e776deea6ab7b9fce7c420e22ff5123fd20a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "05-advanced-prompts/python/aoai-solution.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 62754, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 62797, "scanner": "repobility-ast-engine", "fingerprint": "afc235908604655b7983d373e3636433c5667e2ac85781cc496aa055ad26b5cf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|afc235908604655b7983d373e3636433c5667e2ac85781cc496aa055ad26b5cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/python/input_validation.py"}, "region": {"startLine": 177}}}]}]}]}