{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/homebrew/brew:main` unpinned: `container/services image: ghcr.io/h", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/homebrew/brew:main` unpinned: `container/services image: ghcr.io/homebrew/brew:main` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references w"}, "fullDescription": {"text": "Replace with `ghcr.io/homebrew/brew:main@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `Homebrew/actions/cache-homebrew-prefix` pinned to mutable ref `@main`: `uses: Homebrew/actions/cache-", "shortDescription": {"text": "[MINED115] Action `Homebrew/actions/cache-homebrew-prefix` pinned to mutable ref `@main`: `uses: Homebrew/actions/cache-homebrew-prefix@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made t"}, "fullDescription": {"text": "Replace with: `uses: Homebrew/actions/cache-homebrew-prefix@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/996"}, "properties": {"repository": "Homebrew/homebrew-cask", "repoUrl": "https://github.com/Homebrew/homebrew-cask", "branch": "main"}, "results": [{"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 93484, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c37dd31c10c0fe7eab0e393ac497d0d6aa72a7094018103f5683dbca0d61d2a", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "backup", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|5c37dd31c10c0fe7eab0e393ac497d0d6aa72a7094018103f5683dbca0d61d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/arq-cloud-backup.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 93482, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93498, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c766b2331e38a1b3fccd83bd9d44546e43390d0852c38012a64b485db51dbe42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/anytype.rb", "duplicate_line": 19, "correlation_key": "fp|c766b2331e38a1b3fccd83bd9d44546e43390d0852c38012a64b485db51dbe42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/anytype@beta.rb"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93497, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9efbe9126aa9ea857074eec64cbcb72b6ba6694653ef597e9752a92c0a8e5038", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/anytype.rb", "duplicate_line": 18, "correlation_key": "fp|9efbe9126aa9ea857074eec64cbcb72b6ba6694653ef597e9752a92c0a8e5038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/anytype@alpha.rb"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93496, "scanner": "repobility-ai-code-hygiene", "fingerprint": "022f483197744673cc3e02f8fb317c2434e96a7f1e3cee0d022b0ea9cca03b1d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/android-studio-preview@beta.rb", "duplicate_line": 24, "correlation_key": "fp|022f483197744673cc3e02f8fb317c2434e96a7f1e3cee0d022b0ea9cca03b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/android-studio-preview@canary.rb"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93495, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f71ff953017fd9c1b76cba9c6af1cb0d4f9322399c6275dcd4074d2c01316cd9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/alfred.rb", "duplicate_line": 18, "correlation_key": "fp|f71ff953017fd9c1b76cba9c6af1cb0d4f9322399c6275dcd4074d2c01316cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/alfred@prerelease.rb"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93494, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8785b4de0eb056657bb70d536072cefecce645c3d40c7583ef21a08b001d8191", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/alfred.rb", "duplicate_line": 5, "correlation_key": "fp|8785b4de0eb056657bb70d536072cefecce645c3d40c7583ef21a08b001d8191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/alfred@4.rb"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93493, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3d13930fb6945e30a0f3d54945e28ba16eb6e8496ee6ba5f031a6b12ee1577d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/aerial.rb", "duplicate_line": 15, "correlation_key": "fp|b3d13930fb6945e30a0f3d54945e28ba16eb6e8496ee6ba5f031a6b12ee1577d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/aerial@beta.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93492, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80f51f1d22742929b0e862f65c3be20942b95c79dc2cde437b072ef74a0156e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/adguard.rb", "duplicate_line": 16, "correlation_key": "fp|80f51f1d22742929b0e862f65c3be20942b95c79dc2cde437b072ef74a0156e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/adguard@nightly.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93491, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7b1be2d0cbd0291791e74022fd79b7522162bc8394e78aa60ce9ffb954345b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/adguard-vpn.rb", "duplicate_line": 16, "correlation_key": "fp|d7b1be2d0cbd0291791e74022fd79b7522162bc8394e78aa60ce9ffb954345b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/adguard-vpn@nightly.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93490, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21f9cca99c3d7cbe01826a5af5f432bf3af55d2c53d5a3f2c7189fa9590751a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/accordance.rb", "duplicate_line": 15, "correlation_key": "fp|21f9cca99c3d7cbe01826a5af5f432bf3af55d2c53d5a3f2c7189fa9590751a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/accordance@13.rb"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93489, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7e81b836e25ac48f9bac44e6452e7d5991b627324e5c12f5de853a8a77c32b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/ableton-live-suite.rb", "duplicate_line": 4, "correlation_key": "fp|b7e81b836e25ac48f9bac44e6452e7d5991b627324e5c12f5de853a8a77c32b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/ableton-live-suite@11.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93488, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9881ec7df16568d5aa72213b91f07a5925fe1676618112c203f1cba6c415e607", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/ableton-live-standard.rb", "duplicate_line": 10, "correlation_key": "fp|9881ec7df16568d5aa72213b91f07a5925fe1676618112c203f1cba6c415e607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/ableton-live-standard@11.rb"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93487, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17780d98f7c24cb2ec7dd0c4e32710760d2269dc4b4ed0bb7fe9f2eb5e43bd4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/ableton-live-lite.rb", "duplicate_line": 10, "correlation_key": "fp|17780d98f7c24cb2ec7dd0c4e32710760d2269dc4b4ed0bb7fe9f2eb5e43bd4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/ableton-live-lite@11.rb"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93486, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8fd8e1fbf7240bb757e4ce93846884c5f368540915f0a469191d9c3c9e89dda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/a/ableton-live-intro.rb", "duplicate_line": 10, "correlation_key": "fp|a8fd8e1fbf7240bb757e4ce93846884c5f368540915f0a469191d9c3c9e89dda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/ableton-live-intro@11.rb"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93485, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5255659e526a75293b1805fb30841c955d6569a6323a93c9d00a9e240b69cc78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Casks/1/1password.rb", "duplicate_line": 24, "correlation_key": "fp|5255659e526a75293b1805fb30841c955d6569a6323a93c9d00a9e240b69cc78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/1/1password@beta.rb"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 93483, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f73266a5b1cfa264e4e93b6c9ab3af8e95e52c2380c4844a8339072bfe15ce1e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f73266a5b1cfa264e4e93b6c9ab3af8e95e52c2380c4844a8339072bfe15ce1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/arq-cloud-backup.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93481, "scanner": "repobility-threat-engine", "fingerprint": "c2025413db2cc319a4c4b5474c8886c5533edad783a371da1c913ba435077272", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2025413db2cc319a4c4b5474c8886c5533edad783a371da1c913ba435077272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/apptrap.rb"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93480, "scanner": "repobility-threat-engine", "fingerprint": "ff491e00ba5d08f211b946e1a9fdf7717e03f18d394760e0ef02b3e1a8eb01c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff491e00ba5d08f211b946e1a9fdf7717e03f18d394760e0ef02b3e1a8eb01c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Casks/a/apptivate.rb"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/homebrew/brew:main` unpinned: `container/services image: ghcr.io/homebrew/brew:main` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 93521, "scanner": "repobility-supply-chain", "fingerprint": "521d0ff2e2b17567128795f378f2706c65815665af745454885ed6109a477a0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|521d0ff2e2b17567128795f378f2706c65815665af745454885ed6109a477a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actionlint.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/cache-homebrew-prefix` pinned to mutable ref `@main`: `uses: Homebrew/actions/cache-homebrew-prefix@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93520, "scanner": "repobility-supply-chain", "fingerprint": "6245bd01d7354e9605524b27e670794ea9a87426e1e125902deb2d177a00dea5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6245bd01d7354e9605524b27e670794ea9a87426e1e125902deb2d177a00dea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actionlint.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93519, "scanner": "repobility-supply-chain", "fingerprint": "82e092c45215e6b5b783b86d2d19cf96cac81d2daa5dca37f431a35426ebd8d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82e092c45215e6b5b783b86d2d19cf96cac81d2daa5dca37f431a35426ebd8d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actionlint.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/homebrew/brew:main` unpinned: `container/services image: ghcr.io/homebrew/brew:main` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 93518, "scanner": "repobility-supply-chain", "fingerprint": "ca45bd651c06051c79fed8e02ae7045fea054a19ed28067991023210e234b494", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca45bd651c06051c79fed8e02ae7045fea054a19ed28067991023210e234b494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/clean-up-closed-prs.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93517, "scanner": "repobility-supply-chain", "fingerprint": "ed3927288a7c7f9f697affbc326042621b61e18c41c3581c4f6ed77bdd80fd24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed3927288a7c7f9f697affbc326042621b61e18c41c3581c4f6ed77bdd80fd24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/clean-up-closed-prs.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/git-try-push` pinned to mutable ref `@main`: `uses: Homebrew/actions/git-try-push@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93516, "scanner": "repobility-supply-chain", "fingerprint": "18528c57dbae3a3cbfd022e9d08fddead8890352ea6030cacd6f8de3f5e02f65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18528c57dbae3a3cbfd022e9d08fddead8890352ea6030cacd6f8de3f5e02f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-disabled-packages.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/remove-disabled-packages` pinned to mutable ref `@main`: `uses: Homebrew/actions/remove-disabled-packages@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93515, "scanner": "repobility-supply-chain", "fingerprint": "45fcf0d7f830a38d26d00d03c5b4a90a2cf32132ad5fb247d50c63f806f311a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45fcf0d7f830a38d26d00d03c5b4a90a2cf32132ad5fb247d50c63f806f311a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-disabled-packages.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-commit-signing` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-commit-signing@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93514, "scanner": "repobility-supply-chain", "fingerprint": "edd94db16861d9c17a31711647c110eabfcb2033ab090d57b1c241fd80be8d8c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edd94db16861d9c17a31711647c110eabfcb2033ab090d57b1c241fd80be8d8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-disabled-packages.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/git-user-config` pinned to mutable ref `@main`: `uses: Homebrew/actions/git-user-config@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93513, "scanner": "repobility-supply-chain", "fingerprint": "a0b3082aa699c7c64d6867c8928035e58b89ab8a886a06f0ef255ca2c8b66d71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0b3082aa699c7c64d6867c8928035e58b89ab8a886a06f0ef255ca2c8b66d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-disabled-packages.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93512, "scanner": "repobility-supply-chain", "fingerprint": "f16575b8059ad4e9f3c1208040657851f09af9b3c90a247f55dc1076782ad310", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f16575b8059ad4e9f3c1208040657851f09af9b3c90a247f55dc1076782ad310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-disabled-packages.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93511, "scanner": "repobility-supply-chain", "fingerprint": "2004168c2378f3440f52f262d4bd83a632641eadde0014daa795d87fd23abb85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2004168c2378f3440f52f262d4bd83a632641eadde0014daa795d87fd23abb85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93510, "scanner": "repobility-supply-chain", "fingerprint": "e6a8dd69ed44d5fe2bdae2745bf853a8a0f83a69ddefd6d2a25fb1f34b600cb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6a8dd69ed44d5fe2bdae2745bf853a8a0f83a69ddefd6d2a25fb1f34b600cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93509, "scanner": "repobility-supply-chain", "fingerprint": "752dd09b554ea3eceeee2f022b35dd0a2c568b6be3298f3daaa16d7a4baf4235", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|752dd09b554ea3eceeee2f022b35dd0a2c568b6be3298f3daaa16d7a4baf4235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cache.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93508, "scanner": "repobility-supply-chain", "fingerprint": "87872cbba989405edae56c755a1b89091cb0ec8d68546e3fef7b851778630f24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87872cbba989405edae56c755a1b89091cb0ec8d68546e3fef7b851778630f24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93507, "scanner": "repobility-supply-chain", "fingerprint": "a462e57d6804917aac933040bc26d15375a292254aaa2043e5f42839ecdc2bb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a462e57d6804917aac933040bc26d15375a292254aaa2043e5f42839ecdc2bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/git-try-push` pinned to mutable ref `@main`: `uses: Homebrew/actions/git-try-push@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93506, "scanner": "repobility-supply-chain", "fingerprint": "929ae36ce4bbe5932bd9a0ee62070fc492ee6773bdd88dd97d3e2de1d4198835", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|929ae36ce4bbe5932bd9a0ee62070fc492ee6773bdd88dd97d3e2de1d4198835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/google-fonts.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-commit-signing` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-commit-signing@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93505, "scanner": "repobility-supply-chain", "fingerprint": "31ddeea51e3d1211a0e0e0063fa988210f275a8b93b8a5da91413626e25971c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31ddeea51e3d1211a0e0e0063fa988210f275a8b93b8a5da91413626e25971c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/google-fonts.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/git-user-config` pinned to mutable ref `@main`: `uses: Homebrew/actions/git-user-config@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93504, "scanner": "repobility-supply-chain", "fingerprint": "e5f1dfea50a098ad23af875489f94bea9c1646086ee65e06fef07469fa56e3b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5f1dfea50a098ad23af875489f94bea9c1646086ee65e06fef07469fa56e3b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/google-fonts.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-commit-signing` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-commit-signing@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93503, "scanner": "repobility-supply-chain", "fingerprint": "16c36096f983b0efbdbf3364605a0d972e709d4fdb56867364bf7186e5fc4d81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16c36096f983b0efbdbf3364605a0d972e709d4fdb56867364bf7186e5fc4d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autobump.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/git-user-config` pinned to mutable ref `@main`: `uses: Homebrew/actions/git-user-config@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93502, "scanner": "repobility-supply-chain", "fingerprint": "af03eb080e3b91e86d680fdca33c1d4732ac04461dfd8ff4345c3fa8d6616873", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af03eb080e3b91e86d680fdca33c1d4732ac04461dfd8ff4345c3fa8d6616873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autobump.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/setup-homebrew` pinned to mutable ref `@main`: `uses: Homebrew/actions/setup-homebrew@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93501, "scanner": "repobility-supply-chain", "fingerprint": "588db9a36e4f9a22b14999d443082bf032e6e430da0897d2c6a5dba33d816666", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|588db9a36e4f9a22b14999d443082bf032e6e430da0897d2c6a5dba33d816666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autobump.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/label-pull-requests` pinned to mutable ref `@main`: `uses: Homebrew/actions/label-pull-requests@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93500, "scanner": "repobility-supply-chain", "fingerprint": "a6f1770a5614e26836b13642e3ca739ee20693829a4f45f03c8d8f9167ed8d22", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6f1770a5614e26836b13642e3ca739ee20693829a4f45f03c8d8f9167ed8d22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/triage.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Homebrew/actions/check-commit-format` pinned to mutable ref `@main`: `uses: Homebrew/actions/check-commit-format@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93499, "scanner": "repobility-supply-chain", "fingerprint": "a5d21d140fb3bd35a479952fd5acf837cc273d18228df9c447a8d1f339d308c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5d21d140fb3bd35a479952fd5acf837cc273d18228df9c447a8d1f339d308c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/triage.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 93479, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}