{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 8 more): Same pattern found in 8 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 12 more): Same pattern found in 12 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `ubuntu:22.04` unpinned", "shortDescription": {"text": "Workflow container/services image `ubuntu:22.04` unpinned"}, "fullDescription": {"text": "`container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: apple-actions/import-codesign-certs@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `ubuntu:24.04` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "fullDescription": {"text": "`FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "The final runtime stage explicitly uses root. A compromised app process would have root inside the container."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED133", "name": "Hardcoded Discord webhook URL in source", "shortDescription": {"text": "Hardcoded Discord webhook URL in source"}, "fullDescription": {"text": "File contains a hardcoded `Discord` webhook URL: `https://discord.com/api/webhooks/1473390363388416230/eRIo1Uh...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/206"}, "properties": {"repository": "generalaction/emdash", "repoUrl": "https://github.com/generalaction/emdash", "branch": "main"}, "results": [{"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 49549, "scanner": "repobility-threat-engine", "fingerprint": "c702380b4ba77023b1ee3c284d2d7d190c002879af58088aa553158ab61cc478", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 7), []);\n\n  const deriv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c702380b4ba77023b1ee3c284d2d7d190c002879af58088aa553158ab61cc478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/tasks/create-task-modal/use-branch-name.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 49545, "scanner": "repobility-threat-engine", "fingerprint": "72e98a568d35f57be36c4b6d761f3c3f5590dfa381d9f3f91c052e3239dda292", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(docsUrl, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|99|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/mcp/components/McpCard.tsx"}, "region": {"startLine": 99}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49542, "scanner": "repobility-threat-engine", "fingerprint": "d1a25343f22fe8dcaacea818863fc23116e81e7cd3c7c9e24aa9c509e5b10225", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1a25343f22fe8dcaacea818863fc23116e81e7cd3c7c9e24aa9c509e5b10225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/workspaces/byoi/provision-byoi-task.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49541, "scanner": "repobility-threat-engine", "fingerprint": "72e9262ded31aa87ad724d5ed397c4b14c0bcffd0470506e415a71ad407be443", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72e9262ded31aa87ad724d5ed397c4b14c0bcffd0470506e415a71ad407be443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/tasks/task-builder.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49540, "scanner": "repobility-threat-engine", "fingerprint": "df670fde4092ae035c7a98525aeba8a897e3079c010e80a67ca2a84058e26bff", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df670fde4092ae035c7a98525aeba8a897e3079c010e80a67ca2a84058e26bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/ssh/credentials/ssh-credential-service.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 49525, "scanner": "repobility-threat-engine", "fingerprint": "6ff61034f544ddae37376b86e28775c6a72d40d6cc7c678bb73ccca93dfef861", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'emdash-asana-token'", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|secret_key emdash-asana-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/asana/asana-connection-service.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 49524, "scanner": "repobility-threat-engine", "fingerprint": "b06139a0c5b28da88ac2a3fb0930def6e3a8a16659d6744c1fbabbd6bafd780c", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'emdash-account-token'", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|secret_key emdash-account-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/account/services/credential-store.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49506, "scanner": "repobility-threat-engine", "fingerprint": "5c7d4f0e5cf16c1fdf2995c340c4ee2f2a74f6b6811f3eb016ac040d9b2e806b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/rebuild-native.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49505, "scanner": "repobility-threat-engine", "fingerprint": "0d5f4dec1ca6720c3655b97e0b4fc486ad117520d7f480fde68b22d352ae7036", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|54|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/notarize-mac.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49504, "scanner": "repobility-threat-engine", "fingerprint": "00b3639c3f1456546aa1aec4ef45b8e2d2156addd7ab7637a318ec9de170d9d4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/release/build.ts|35|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/build.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 6328, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 6327, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 6322, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 6314, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 6309, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "tooling/fixtures/empty.db", "size_mb": 0.3}, {"path": "tooling/fixtures/pre-0012.db", "size_mb": 0.3}, {"path": "tooling/fixtures/baseline.db", "size_mb": 0.3}, {"path": "tooling/fixtures/pre-0011.db", "size_mb": 0.3}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 6307, "scanner": "repobility-threat-engine", "fingerprint": "252db1990dc148221e505e8aca9d7e861da66b136a3167e1d339289499cfd836", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'emdash-linear-token'", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|secret_key emdash-linear-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/linear/linear-connection-service.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 6306, "scanner": "repobility-threat-engine", "fingerprint": "6e437c01894245e8893541b6b9c8aefb769173e35bf5ab554bb03453be128b16", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'emdash-featurebase-token'", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|secret_key emdash-featurebase-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/featurebase/featurebase-connection-service.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 6305, "scanner": "repobility-threat-engine", "fingerprint": "8f8bf0e9c38e2b36f772106a90c3859cd7ffd8177bd505ea2f872c863b1a2668", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'emdash-plain-token'", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|secret_key emdash-plain-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/plain/plain-connection-service.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6303, "scanner": "repobility-threat-engine", "fingerprint": "6a2b876de117b725bf99c6e877f4deeafda8e94f9e06ea6eb1d340e83cdf377d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a2b876de117b725bf99c6e877f4deeafda8e94f9e06ea6eb1d340e83cdf377d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/sidebar/project-item.tsx"}, "region": {"startLine": 190}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6302, "scanner": "repobility-threat-engine", "fingerprint": "657195ab466da17c5494f73804ccd4a53362b1f637a76a36aa935a8d8e499ab5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|657195ab466da17c5494f73804ccd4a53362b1f637a76a36aa935a8d8e499ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/utils/soundPlayer.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6301, "scanner": "repobility-threat-engine", "fingerprint": "ee37fc150142a30d323ccba3c99c510160b0c87a92a2abd558403af699bc081c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee37fc150142a30d323ccba3c99c510160b0c87a92a2abd558403af699bc081c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/utils/telemetryClient.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49473, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dd69bddf1b8ec3e664f6c272ad75db738411a32b4f4bc816ada68a780243c74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|2dd69bddf1b8ec3e664f6c272ad75db738411a32b4f4bc816ada68a780243c74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/pi.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49472, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58a70fd151166a3e8219432e6d70b2e23334d38bce2e9855d9b5b49ea28f5e2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/autohand.ts", "duplicate_line": 6, "correlation_key": "fp|58a70fd151166a3e8219432e6d70b2e23334d38bce2e9855d9b5b49ea28f5e2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/pi.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7b7526095752070d16fb830acabf283840af1bb9ec92dee47e62fb9f83ec5fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/auggie.ts", "duplicate_line": 3, "correlation_key": "fp|c7b7526095752070d16fb830acabf283840af1bb9ec92dee47e62fb9f83ec5fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/pi.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "275cb3f08cf52f54623c08a6302a94c4a1a4aef1689f0bdcfc1d5cb53ffa2ec3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|275cb3f08cf52f54623c08a6302a94c4a1a4aef1689f0bdcfc1d5cb53ffa2ec3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/opencode.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a21ac0fce629f9cf349ee64d1a829a052799f0c2757ebd0f1b635e55bbc94fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|3a21ac0fce629f9cf349ee64d1a829a052799f0c2757ebd0f1b635e55bbc94fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/mistral.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbd17249e8bf05985e897c88bdcad945e43ff50007000def9c1c4a9785e11be7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|bbd17249e8bf05985e897c88bdcad945e43ff50007000def9c1c4a9785e11be7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/letta.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40015d0008e2857cc28082189e11a56b3e6523bf93c4c20035311cef668ec3a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|40015d0008e2857cc28082189e11a56b3e6523bf93c4c20035311cef668ec3a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/kiro.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63f9b3f42859dfd7db785f004c1feac358d76e243f63bbb84124c85d14b59943", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|63f9b3f42859dfd7db785f004c1feac358d76e243f63bbb84124c85d14b59943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/kimi.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c19dbb8b5a6c579e7de3e11f3223286b4ff6f8ce86cd377ea941960936d590dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/cline.ts", "duplicate_line": 24, "correlation_key": "fp|c19dbb8b5a6c579e7de3e11f3223286b4ff6f8ce86cd377ea941960936d590dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/kimi.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c067f331b007601e7d8bba1a456c857cce882d5ff1e97fe780b45d937b52372", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|5c067f331b007601e7d8bba1a456c857cce882d5ff1e97fe780b45d937b52372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/kilocode.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1367d7712f674ee106b8f8c6dc4238a3b9ffda3a8a8b33f0a038d589b1eb6271", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|1367d7712f674ee106b8f8c6dc4238a3b9ffda3a8a8b33f0a038d589b1eb6271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/junie.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3e84633b7f0546ebb94402baa6452558f8a9bb4edc1639cfee044b8c221b12a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|f3e84633b7f0546ebb94402baa6452558f8a9bb4edc1639cfee044b8c221b12a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/jules.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cc030d53bd8e1dea24b229d1426242b2adc78f67f0b74af950cdd2e185ddf4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|6cc030d53bd8e1dea24b229d1426242b2adc78f67f0b74af950cdd2e185ddf4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/grok.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2a2ed58122ded76ad53bc8f56d9ca4880cde55ac70e6f91c0893a644520561e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|e2a2ed58122ded76ad53bc8f56d9ca4880cde55ac70e6f91c0893a644520561e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/goose.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9154686195c1a4205b5f9d8021aeecb6828c38b5c7a30ace5535452a34cd355e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|9154686195c1a4205b5f9d8021aeecb6828c38b5c7a30ace5535452a34cd355e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/generic.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c976394830827607e9449732a9be956f15bb3cc3801c6043e5281e075155a000", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|c976394830827607e9449732a9be956f15bb3cc3801c6043e5281e075155a000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/droid.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cbc84a2c1ad4088a22d1deb1e3d5674686926c33974da9d3ff8bf581404cc5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/charm.ts", "duplicate_line": 3, "correlation_key": "fp|4cbc84a2c1ad4088a22d1deb1e3d5674686926c33974da9d3ff8bf581404cc5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/droid.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49456, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c960bf35ac972765ac550ca4d72a06a2e1f21918b285e70a5c3b05fc91daebc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 18, "correlation_key": "fp|c960bf35ac972765ac550ca4d72a06a2e1f21918b285e70a5c3b05fc91daebc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/devin.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 6329, "scanner": "repobility-web-presence", "fingerprint": "4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 6326, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 6325, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 6324, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6321, "scanner": "repobility-docker", "fingerprint": "4aa2326d3d3921810b5186322e5e1acd40f551ec6aadca7b898d02b0887ff7bb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ssh-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4aa2326d3d3921810b5186322e5e1acd40f551ec6aadca7b898d02b0887ff7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6319, "scanner": "repobility-docker", "fingerprint": "8b00e879fda9b785e82387e179bbcbc4e344e55ca1a171b57a876782c623b242", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ssh-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8b00e879fda9b785e82387e179bbcbc4e344e55ca1a171b57a876782c623b242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6317, "scanner": "repobility-docker", "fingerprint": "060c14b1e77df48f48c7749604e7a7f974f55dd4abd4ee5968efec3c5e9014df", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|060c14b1e77df48f48c7749604e7a7f974f55dd4abd4ee5968efec3c5e9014df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/docker-ssh/dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6315, "scanner": "repobility-docker", "fingerprint": "adb95539be12cb8dcee29c80c8c8c2a05ede37756be3774924da6f5f305918ee", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|adb95539be12cb8dcee29c80c8c8c2a05ede37756be3774924da6f5f305918ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/docker-ssh/dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6312, "scanner": "repobility-docker", "fingerprint": "459916e162c63a11ad09637134f96fe69381b58c09a4b74f5962b440defeb75a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|459916e162c63a11ad09637134f96fe69381b58c09a4b74f5962b440defeb75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/byoi/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6310, "scanner": "repobility-docker", "fingerprint": "25e38298fcc439838f4d95723d3bef828d2bc8f2cae6a58b30e38d0c16959792", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|25e38298fcc439838f4d95723d3bef828d2bc8f2cae6a58b30e38d0c16959792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/byoi/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c373d0e3157b575ca81de3c81210d6bb4f0d92d58d9914d37e8cad5e1a99bdc6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|c373d0e3157b575ca81de3c81210d6bb4f0d92d58d9914d37e8cad5e1a99bdc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/cursor.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a63c1d9d2ca61b842c8f01fd1681464fadf30e56e4b2c780055d07802a815788", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|a63c1d9d2ca61b842c8f01fd1681464fadf30e56e4b2c780055d07802a815788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/copilot.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbe922ac17cf4410158f723527949ceceac3148ae805ab509fa5662b3c284dfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|fbe922ac17cf4410158f723527949ceceac3148ae805ab509fa5662b3c284dfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/continue.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bec9fb0ce7d542b675d143e953b6be93ccb5fe54fd0dda7647e8cfcc499d2a8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/charm.ts", "duplicate_line": 3, "correlation_key": "fp|bec9fb0ce7d542b675d143e953b6be93ccb5fe54fd0dda7647e8cfcc499d2a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/continue.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84c70360fff710919771dfa96051bf57b0ada806c7b1392ae5626f8b2cee538a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|84c70360fff710919771dfa96051bf57b0ada806c7b1392ae5626f8b2cee538a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/codebuff.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a43da4c282a6df63c6ab3f7979285d7dd4564c37e585e4f4bc3c659c1f8691e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/charm.ts", "duplicate_line": 3, "correlation_key": "fp|a43da4c282a6df63c6ab3f7979285d7dd4564c37e585e4f4bc3c659c1f8691e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/codebuff.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "402e60b40393f4aac4b5396aa25e9b810ea9460173ae684bbea8e9a87efa25ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|402e60b40393f4aac4b5396aa25e9b810ea9460173ae684bbea8e9a87efa25ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/cline.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e590b015753222b295dbce9c263d07d51411174b31d35d914dc6b04ca122ea59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|e590b015753222b295dbce9c263d07d51411174b31d35d914dc6b04ca122ea59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/charm.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30c4d680ecc98aa42e6fda7e6e3032664072903c69ce7d7d4e4fb3b9236aa822", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 12, "correlation_key": "fp|30c4d680ecc98aa42e6fda7e6e3032664072903c69ce7d7d4e4fb3b9236aa822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/autohand.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef71ac0f9f2fc66fc0de983d071d1876b22e6436a9c97d2fcacc05cf688e2f93", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/auggie.ts", "duplicate_line": 3, "correlation_key": "fp|ef71ac0f9f2fc66fc0de983d071d1876b22e6436a9c97d2fcacc05cf688e2f93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/autohand.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25b6a88dff63af4e8a04b87e3647e86997cc5d0f1de8c6759a0421970553712c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/agent-hooks/classifiers/amp.ts", "duplicate_line": 24, "correlation_key": "fp|25b6a88dff63af4e8a04b87e3647e86997cc5d0f1de8c6759a0421970553712c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/auggie.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bafc701b6a1b66b0eb651a1bc0391f33010a8c09f0012d908bef563e41697bf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "electron-builder.canary.config.ts", "duplicate_line": 9, "correlation_key": "fp|bafc701b6a1b66b0eb651a1bc0391f33010a8c09f0012d908bef563e41697bf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "electron-builder.config.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 6288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49552, "scanner": "repobility-threat-engine", "fingerprint": "a6dbe4d391f3d3b293600f1e674b1e9904af679651c1ade005991ef60dda757e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6dbe4d391f3d3b293600f1e674b1e9904af679651c1ade005991ef60dda757e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/tasks/diff-view/main-panel/stacked-diff-view.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 49551, "scanner": "repobility-threat-engine", "fingerprint": "5734bb697649774547e6a6dc3a1b701a0f9bbdc493ba88cadd1b8297963d5746", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5734bb697649774547e6a6dc3a1b701a0f9bbdc493ba88cadd1b8297963d5746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/tasks/diff-view/comments/monaco-comment-manager.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49548, "scanner": "repobility-threat-engine", "fingerprint": "aa4fab44ee02cd096f195ccc263dfbb845e9cd4964fd84b5a61779a834e696d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa4fab44ee02cd096f195ccc263dfbb845e9cd4964fd84b5a61779a834e696d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/utils/mcpIcons.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49547, "scanner": "repobility-threat-engine", "fingerprint": "8f6cfad11ecad238690a96176502728693b384a91c409c6759d2cfe5e1e3e9f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f6cfad11ecad238690a96176502728693b384a91c409c6759d2cfe5e1e3e9f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/skills/components/SkillIconRenderer.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49546, "scanner": "repobility-threat-engine", "fingerprint": "2f01f68222420040df4efe0000f94333ce6a1793f0512d73a416b9111b2d522f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f01f68222420040df4efe0000f94333ce6a1793f0512d73a416b9111b2d522f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/settings/components/IntegrationRow.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49544, "scanner": "repobility-threat-engine", "fingerprint": "a48b9642309046fb978bc5083f33b1bbcfb270733bfce2d58f08e4f2212393de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a48b9642309046fb978bc5083f33b1bbcfb270733bfce2d58f08e4f2212393de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/_legacy/errorTracking.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 49543, "scanner": "repobility-threat-engine", "fingerprint": "42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49539, "scanner": "repobility-threat-engine", "fingerprint": "96c20b24cdfc7dcd6c60b1940195222a939f9eeb1600ff3e6a0d6b428f93c93c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96c20b24cdfc7dcd6c60b1940195222a939f9eeb1600ff3e6a0d6b428f93c93c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/repository-ref.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49538, "scanner": "repobility-threat-engine", "fingerprint": "88cc0735c50c9d13f33558b23fd286e04dce06023bf2525356ac9228f8386c7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88cc0735c50c9d13f33558b23fd286e04dce06023bf2525356ac9228f8386c7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/shared/oauth-flow.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 49535, "scanner": "repobility-threat-engine", "fingerprint": "627907eaffea66f024e4219e19a79ac27a6dc4100784b2eb06fc4901d3f3cc8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|627907eaffea66f024e4219e19a79ac27a6dc4100784b2eb06fc4901d3f3cc8c"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 49531, "scanner": "repobility-threat-engine", "fingerprint": "841b8d35ba95ecf21ebda10f6b871b586198fb1a8c1c7ed357b568567894cc01", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|841b8d35ba95ecf21ebda10f6b871b586198fb1a8c1c7ed357b568567894cc01"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 49530, "scanner": "repobility-threat-engine", "fingerprint": "cc7926a7500a02488396c1be0894438203c717f8b72bcc451b49fb9d60d697d7", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|206|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/tasks/operations/createTask.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 49529, "scanner": "repobility-threat-engine", "fingerprint": "049ebe1c59a94385df4a5c7e6e339f88a8718e8572fb1667f60817b594351536", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|65|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/dependencies/install-runner.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 49528, "scanner": "repobility-threat-engine", "fingerprint": "0a05aab727448f506666ca9b19cc9a4feb7061c6527a748df2376863e31ca89a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|20|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/hook-server.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC003", "level": "none", "message": {"text": "[SEC003] Hardcoded Secret (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 49526, "scanner": "repobility-threat-engine", "fingerprint": "7146cf1318be7e0cdd9e8ec240238a0df7ad05e4b40e03d106816823317447f4", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7146cf1318be7e0cdd9e8ec240238a0df7ad05e4b40e03d106816823317447f4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 49523, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 49519, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 49515, "scanner": "repobility-threat-engine", "fingerprint": "c130b911952ec9a0bdf2fa57e9f503e50ec23fd9af3426a4fd154015bd1aa6d7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c130b911952ec9a0bdf2fa57e9f503e50ec23fd9af3426a4fd154015bd1aa6d7", "aggregated_count": 30}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49514, "scanner": "repobility-threat-engine", "fingerprint": "7ca73ba3a191ddabe1e8f21f397690b2a7805b0d7e81712fe1eb4c8831cc15b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ca73ba3a191ddabe1e8f21f397690b2a7805b0d7e81712fe1eb4c8831cc15b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifier-wiring.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49513, "scanner": "repobility-threat-engine", "fingerprint": "23850c88a8724c182adc4b53db4bbf64551d653a00e9b90a6f7e2ec416a9c7f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23850c88a8724c182adc4b53db4bbf64551d653a00e9b90a6f7e2ec416a9c7f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/rebuild-native.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49512, "scanner": "repobility-threat-engine", "fingerprint": "1d17283d2460fc40c8c587e9409c9ea68861c0eb239eef445cfedefa1a9b59c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d17283d2460fc40c8c587e9409c9ea68861c0eb239eef445cfedefa1a9b59c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/build.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 49511, "scanner": "repobility-threat-engine", "fingerprint": "13d8eeaf2047d870d89ee4208bf4675740126fa71b4bb95b5a7707cb24ae3ccb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|13d8eeaf2047d870d89ee4208bf4675740126fa71b4bb95b5a7707cb24ae3ccb"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 49507, "scanner": "repobility-threat-engine", "fingerprint": "ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 49503, "scanner": "repobility-threat-engine", "fingerprint": "09c876a6112a50c617bbe0270d9e59c0cdad9af841e1397487aab166f1884c1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09c876a6112a50c617bbe0270d9e59c0cdad9af841e1397487aab166f1884c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/postinstall.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 49502, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49501, "scanner": "repobility-threat-engine", "fingerprint": "dd5537ab5d0436b8e7ae2d1a96a3003e17f776bcd3cfc2d654b32f46cf164bb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd5537ab5d0436b8e7ae2d1a96a3003e17f776bcd3cfc2d654b32f46cf164bb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/verify-mac.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49500, "scanner": "repobility-threat-engine", "fingerprint": "2c5f55fe6153838306d423973f9dc3d1b64e9a245bc5e161f94d19b2dada6021", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c5f55fe6153838306d423973f9dc3d1b64e9a245bc5e161f94d19b2dada6021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/notarize-mac.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49499, "scanner": "repobility-threat-engine", "fingerprint": "af05640bc41c704b3cfa681d008fdb067c94f52db2afc8a2bdbcf931f5472926", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af05640bc41c704b3cfa681d008fdb067c94f52db2afc8a2bdbcf931f5472926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/postinstall.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC003", "level": "none", "message": {"text": "[SEC003] Hardcoded Secret (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 6308, "scanner": "repobility-threat-engine", "fingerprint": "0b40ed4e60409cf53c7fb8c02d20f6bb1b280bcbda671ce21f8a758fbbc77db6", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0b40ed4e60409cf53c7fb8c02d20f6bb1b280bcbda671ce21f8a758fbbc77db6"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 6304, "scanner": "repobility-threat-engine", "fingerprint": "d784a4ff6190c94212586a34c8570ee94b0f2f0cf0f7c995eb7152615a4fa10c", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d784a4ff6190c94212586a34c8570ee94b0f2f0cf0f7c995eb7152615a4fa10c"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 49553, "scanner": "repobility-journey-contract", "fingerprint": "8925f69ac848ab48b0110fed04833a5ba1b1dd506ea5f3a218e3c3b41602a83f", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder. Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|14|jrn009", "duplicate_count": 3, "duplicate_rule_ids": ["JRN009"], "duplicate_scanners": ["repobility-journey-contract"], "duplicate_fingerprints": ["2062a9b5fe06c244209a91180fbdf1886f12d3a091db0ac61d688d09065d99ee", "48ca5e6b2a18642e27bf54498c6be7680664c7343ddbd14f6730aa5d5a0e5f12", "8925f69ac848ab48b0110fed04833a5ba1b1dd506ea5f3a218e3c3b41602a83f", "c1b0d31d90c8225318c176db9a3ee84879ecf31569c793cdaba2265a9c8532ea"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/integrations/AsanaSetupForm.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 49550, "scanner": "repobility-threat-engine", "fingerprint": "feea144a5581ad7b94cec59d45a5facb068a21f0d32dbfe2f17ee20abd777186", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|feea144a5581ad7b94cec59d45a5facb068a21f0d32dbfe2f17ee20abd777186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/tasks/create-task-modal/workspace-settings-section.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 49537, "scanner": "repobility-threat-engine", "fingerprint": "ed603540b58b27c5ebd0d847ecc17648212b0090bdf37f299dd056fbcfe980b4", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(args.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ed603540b58b27c5ebd0d847ecc17648212b0090bdf37f299dd056fbcfe980b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/pty/persist-dropped-blob.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 49536, "scanner": "repobility-threat-engine", "fingerprint": "1a4a0a9b5f39cc24e61ce827f61b7d56d1644bd72bf91d278b690e0bb0d5688b", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|64|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/projects/worktrees/hosts/local-worktree-host.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49534, "scanner": "repobility-threat-engine", "fingerprint": "cc6dcd19d08e4d2998d711867ee15becee7a1814e69a2732da46551cf3754311", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.sessions.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc6dcd19d08e4d2998d711867ee15becee7a1814e69a2732da46551cf3754311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/conversations/impl/ssh-conversation.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49533, "scanner": "repobility-threat-engine", "fingerprint": "f83e148c8a493d81db7f84069992c52b5c3b995376d44575d4927eb299230b2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.runtimes.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f83e148c8a493d81db7f84069992c52b5c3b995376d44575d4927eb299230b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/conversations/conversation-session-supervisor.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49532, "scanner": "repobility-threat-engine", "fingerprint": "369bb03e04fc56990f6a99faac2aa3f6d68cffed8d12fa5556345b4166910f21", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|369bb03e04fc56990f6a99faac2aa3f6d68cffed8d12fa5556345b4166910f21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/hook-server.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 49527, "scanner": "repobility-threat-engine", "fingerprint": "d2d849ba0d09fde38f9c1bcf6df90b79280eb7c617f7fd9da7dffdd4201ec7b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2d849ba0d09fde38f9c1bcf6df90b79280eb7c617f7fd9da7dffdd4201ec7b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/agent-hooks/classifiers/codebuff.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49522, "scanner": "repobility-threat-engine", "fingerprint": "55efbb186329a33a5b2edb638f98bbb97c0a32560ecdb55148b6fbdaab0217af", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55efbb186329a33a5b2edb638f98bbb97c0a32560ecdb55148b6fbdaab0217af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/app/controller.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49521, "scanner": "repobility-threat-engine", "fingerprint": "bf8336eddacfe73f798210a2bdd2b480c58a29bd15e5417ca9e8ec01a6f81716", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf8336eddacfe73f798210a2bdd2b480c58a29bd15e5417ca9e8ec01a6f81716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/app/window.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49520, "scanner": "repobility-threat-engine", "fingerprint": "13c213715deeb7a0b24b70610bcfdf574739682b7b783a54aaf002b90a90affa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13c213715deeb7a0b24b70610bcfdf574739682b7b783a54aaf002b90a90affa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/app/protocol.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49518, "scanner": "repobility-threat-engine", "fingerprint": "e7ae80142e67a15b7ac1089cae34011be233abec888f255c6718c4dd60d7f0d1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((projectKey) => `\"${escapeJqlValue(`${projectKey}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e7ae80142e67a15b7ac1089cae34011be233abec888f255c6718c4dd60d7f0d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/jira/jira-issue-provider.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49517, "scanner": "repobility-threat-engine", "fingerprint": "8c3ffdd9aee7ac388afb1470af0e736dd3e3a0d133fcaba4eba83c6dcc56aac9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=${quoteShellArg(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c3ffdd9aee7ac388afb1470af0e736dd3e3a0d133fcaba4eba83c6dcc56aac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/execution-context/ssh-execution-context.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49516, "scanner": "repobility-threat-engine", "fingerprint": "206f0da287f977fd366293e1ffc32a500199c08bd5a10f47e005d0ca96bdf766", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(({ file, error }) => `  ${file}: ${error}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|206f0da287f977fd366293e1ffc32a500199c08bd5a10f47e005d0ca96bdf766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/verify-linux.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49510, "scanner": "repobility-threat-engine", "fingerprint": "6bce183bdb65701e12349700178c48d87c7f6383fe99ac92c6c867efa6f2e429", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n      command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bce183bdb65701e12349700178c48d87c7f6383fe99ac92c6c867efa6f2e429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/app/utils.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49509, "scanner": "repobility-threat-engine", "fingerprint": "75387177d0710305c1271596a543f715c4a3afe531e7ba53425978f1a9526cbf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(version", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75387177d0710305c1271596a543f715c4a3afe531e7ba53425978f1a9526cbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/verify-linux.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49508, "scanner": "repobility-threat-engine", "fingerprint": "4a110931dc6a33d1534154711172f4662f3c88457dee8758b06dd23f2c4c6f02", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a110931dc6a33d1534154711172f4662f3c88457dee8758b06dd23f2c4c6f02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/build.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ubuntu:22.04` unpinned"}, "properties": {"repobilityId": 49497, "scanner": "repobility-supply-chain", "fingerprint": "ed0745493b97bd64422130561415035cdd902b5ff8bb4eb59ae5bf2a0767e6ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed0745493b97bd64422130561415035cdd902b5ff8bb4eb59ae5bf2a0767e6ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-canary.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 49496, "scanner": "repobility-supply-chain", "fingerprint": "700819e52a8354d43fe5c3ba02c2db25566b653f23b75068b2b9558c904d0ba9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|700819e52a8354d43fe5c3ba02c2db25566b653f23b75068b2b9558c904d0ba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-canary.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49495, "scanner": "repobility-supply-chain", "fingerprint": "ce47af44d86d3aea24d46160ca811d4d9007f2705e66ae9e1de022cfe4989105", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce47af44d86d3aea24d46160ca811d4d9007f2705e66ae9e1de022cfe4989105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-canary.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49494, "scanner": "repobility-supply-chain", "fingerprint": "969741217ae44337aaf2fbba3dc5581193b2c8b759bb93bd34a068c3de393826", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|969741217ae44337aaf2fbba3dc5581193b2c8b759bb93bd34a068c3de393826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-canary.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49493, "scanner": "repobility-supply-chain", "fingerprint": "ba974329322277c977e6e3d2e05d62bddd687206aa651b16c2c791f20ca5cfb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba974329322277c977e6e3d2e05d62bddd687206aa651b16c2c791f20ca5cfb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-canary.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ubuntu:22.04` unpinned"}, "properties": {"repobilityId": 49492, "scanner": "repobility-supply-chain", "fingerprint": "d59c934e12b7837afddf54cf5d2e8ef2b2f7500149069e0b5de1c6ecf8a5c101", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d59c934e12b7837afddf54cf5d2e8ef2b2f7500149069e0b5de1c6ecf8a5c101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-prod.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 49491, "scanner": "repobility-supply-chain", "fingerprint": "139e3db748c6348572a638e3d4be6d87ec2d2a68c39d61aaa5f8818bbf0b6ea9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|139e3db748c6348572a638e3d4be6d87ec2d2a68c39d61aaa5f8818bbf0b6ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-prod.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49490, "scanner": "repobility-supply-chain", "fingerprint": "8cbcc072f8334d617ec329d61507c4d0dcd6a621985653d87aa161883d208e6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cbcc072f8334d617ec329d61507c4d0dcd6a621985653d87aa161883d208e6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-prod.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49489, "scanner": "repobility-supply-chain", "fingerprint": "fecd392be054e545074d2262c7568e2377a53e25ed0dd0843fb18dc1393d1e7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fecd392be054e545074d2262c7568e2377a53e25ed0dd0843fb18dc1393d1e7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-prod.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49488, "scanner": "repobility-supply-chain", "fingerprint": "5a290bd13db8dea123802a6494820d79317a65ccc32ba4b250a3e24a4fe0b53f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a290bd13db8dea123802a6494820d79317a65ccc32ba4b250a3e24a4fe0b53f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-prod.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49487, "scanner": "repobility-supply-chain", "fingerprint": "1788aebafa15dda9d60952cc97146b56eb247deb260a5870bbd8b3b678a481f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1788aebafa15dda9d60952cc97146b56eb247deb260a5870bbd8b3b678a481f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/cachix-action` pinned to mutable ref `@v15`"}, "properties": {"repobilityId": 49486, "scanner": "repobility-supply-chain", "fingerprint": "3f370db244ca8840f7eb73e3ae4cedcfa478dfbd5beb51af4ce4b7cc78978fba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f370db244ca8840f7eb73e3ae4cedcfa478dfbd5beb51af4ce4b7cc78978fba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v27`"}, "properties": {"repobilityId": 49485, "scanner": "repobility-supply-chain", "fingerprint": "5288d8009fac979c0a8c5cf69a695bd6588e524b0b384811135825075bf39c3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5288d8009fac979c0a8c5cf69a695bd6588e524b0b384811135825075bf39c3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49484, "scanner": "repobility-supply-chain", "fingerprint": "22c571379f0fc5178178691f69bb81e0d798a6529895ac9ec75fe90aaa458caf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22c571379f0fc5178178691f69bb81e0d798a6529895ac9ec75fe90aaa458caf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49483, "scanner": "repobility-supply-chain", "fingerprint": "303daaaec0abfc60b82935a246767dc6090066e95d985bebd7d16b1a0acd1af3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|303daaaec0abfc60b82935a246767dc6090066e95d985bebd7d16b1a0acd1af3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-beta-build.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 49482, "scanner": "repobility-supply-chain", "fingerprint": "33f2b1dbb605722531f93c212d445e0217c6c37c2f053c711847fbfd2959eee0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33f2b1dbb605722531f93c212d445e0217c6c37c2f053c711847fbfd2959eee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-beta-build.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49481, "scanner": "repobility-supply-chain", "fingerprint": "ca648dd4386b1dd62acde73cda8f3f1614d8df9777f112f0ab38382c365b906d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca648dd4386b1dd62acde73cda8f3f1614d8df9777f112f0ab38382c365b906d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-beta-build.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49480, "scanner": "repobility-supply-chain", "fingerprint": "f6a54d7d57c0a0e2298cbd892fa2f57a8ecedf90a3ccb07fce36e1d549e1b4b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6a54d7d57c0a0e2298cbd892fa2f57a8ecedf90a3ccb07fce36e1d549e1b4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-beta-build.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49479, "scanner": "repobility-supply-chain", "fingerprint": "2d41d2065c0c966c3022871664fa68b70490ce7966dcf0c1ee2473e48c40367e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d41d2065c0c966c3022871664fa68b70490ce7966dcf0c1ee2473e48c40367e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-beta-build.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49478, "scanner": "repobility-supply-chain", "fingerprint": "6aef60df9d8b89c9ac9376ec6c17c729d43e3148838c543b1fa36d30fb07a059", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6aef60df9d8b89c9ac9376ec6c17c729d43e3148838c543b1fa36d30fb07a059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-consistency-check.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49477, "scanner": "repobility-supply-chain", "fingerprint": "f3face854a875e8c942a01737218771de89f25f6586810c39a5cb077cb90ffeb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3face854a875e8c942a01737218771de89f25f6586810c39a5cb077cb90ffeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-consistency-check.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 49476, "scanner": "repobility-supply-chain", "fingerprint": "7a9fb3be4b474d15038f9cd111144b5d41755c5f456363958dda4a9bded0f80a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a9fb3be4b474d15038f9cd111144b5d41755c5f456363958dda4a9bded0f80a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-consistency-check.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "properties": {"repobilityId": 49475, "scanner": "repobility-supply-chain", "fingerprint": "2c2be2cda028bdbf0b60a3eeb086625f184a97ea61ac77652b073ef9cadfe85c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c2be2cda028bdbf0b60a3eeb086625f184a97ea61ac77652b073ef9cadfe85c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/byoi/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "properties": {"repobilityId": 49474, "scanner": "repobility-supply-chain", "fingerprint": "03daea0855c7d0c9ba7d81e92c9d03a7e73a75166f9069ebc02631ecf8c3b173", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03daea0855c7d0c9ba7d81e92c9d03a7e73a75166f9069ebc02631ecf8c3b173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/docker-ssh/dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 6323, "scanner": "repobility-journey-contract", "fingerprint": "2062a9b5fe06c244209a91180fbdf1886f12d3a091db0ac61d688d09065d99ee", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|14|jrn009", "duplicate_count": 2, "duplicate_rule_ids": ["JRN009"], "duplicate_scanners": ["repobility-journey-contract"], "duplicate_fingerprints": ["2062a9b5fe06c244209a91180fbdf1886f12d3a091db0ac61d688d09065d99ee", "48ca5e6b2a18642e27bf54498c6be7680664c7343ddbd14f6730aa5d5a0e5f12", "c1b0d31d90c8225318c176db9a3ee84879ecf31569c793cdaba2265a9c8532ea"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/features/integrations/FeaturebaseSetupForm.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 6318, "scanner": "repobility-docker", "fingerprint": "7887f7c9dea99c82d07a2ef183e4ce8cf13af1ca8996fc949f46763cf38b5265", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7887f7c9dea99c82d07a2ef183e4ce8cf13af1ca8996fc949f46763cf38b5265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/docker-ssh/dockerfile"}, "region": {"startLine": 124}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 6316, "scanner": "repobility-docker", "fingerprint": "476d54fa31962c4974637b42821ad26823b9936f9f664a6a6c815b3b29728db3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|476d54fa31962c4974637b42821ad26823b9936f9f664a6a6c815b3b29728db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/docker-ssh/dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 6313, "scanner": "repobility-docker", "fingerprint": "33a17d51c3f9749522c516470008a65bca22f26f75d903e3ba92e015ddff8ec0", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|33a17d51c3f9749522c516470008a65bca22f26f75d903e3ba92e015ddff8ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/byoi/Dockerfile"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 6311, "scanner": "repobility-docker", "fingerprint": "8220f1500b93318d2726b685e746169506791bc10efe1be4aeecb8bbc64e6bc8", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8220f1500b93318d2726b685e746169506791bc10efe1be4aeecb8bbc64e6bc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/byoi/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "Hardcoded Discord webhook URL in source"}, "properties": {"repobilityId": 49498, "scanner": "repobility-supply-chain", "fingerprint": "08cf3401c59b0ba9ef9e26110f74c4efe706f2c8e2788b90f9052e483d1657ab", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08cf3401c59b0ba9ef9e26110f74c4efe706f2c8e2788b90f9052e483d1657ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/lib/components/feedback-modal/use-feedback-submit.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6320, "scanner": "repobility-docker", "fingerprint": "a3f95c0d2de66be932711910b15cb8c7b1de1a56bfbc1b3c0ee4092ca91a9aac", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "ssh-dev", "variable": "ANTHROPIC_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a3f95c0d2de66be932711910b15cb8c7b1de1a56bfbc1b3c0ee4092ca91a9aac", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 11}}}]}]}]}